CVE-2015-20106 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not esc ...) NOT-FOR-US: WordPress plugin CVE-2015-20105 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not hav ...) NOT-FOR-US: WordPress plugin CVE-2015-10001 (The WP-Stats WordPress plugin before 2.52 does not have CSRF check whe ...) NOT-FOR-US: WordPress plugin CVE-2015-20067 (The WP Attachment Export WordPress plugin before 0.2.4 does not have p ...) NOT-FOR-US: WordPress plugin CVE-2015-20019 (The Content text slider on post WordPress plugin before 6.9 does not s ...) NOT-FOR-US: WordPress plugin CVE-2015-20002 RESERVED CVE-2015-20001 (In the standard library in Rust before 1.2.0, BinaryHeap is not panic- ...) - rustc 1.2.0+dfsg1-1 [bullseye] - rustc (Minor issue) [buster] - rustc (Minor issue) NOTE: https://github.com/rust-lang/rust/issues/25842 NOTE: https://github.com/rust-lang/rust/pull/25856 CVE-2015-9551 (An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1 ...) NOT-FOR-US: TOTOLINK CVE-2015-9550 (An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1 ...) NOT-FOR-US: TOTOLINK CVE-2015-9549 (A reflected Cross-site Scripting (XSS) vulnerability exists in OcPorta ...) NOT-FOR-US: OcPortal CVE-2015-9548 (An issue was discovered in Mattermost Server before 1.2.0. It allows a ...) - mattermost-server (bug #823556) CVE-2015-9547 (An issue was discovered on Samsung mobile devices with JBP(4.3) and KK ...) NOT-FOR-US: Samsung mobile devices CVE-2015-9546 (An issue was discovered on Samsung mobile devices with KK(4.4) and lat ...) NOT-FOR-US: Samsung mobile devices CVE-2015-9545 (An issue was discovered in xdLocalStorage through 2.0.5. The receiveMe ...) NOT-FOR-US: xdLocalStorage CVE-2015-9544 (An issue was discovered in xdLocalStorage through 2.0.5. The receiveMe ...) NOT-FOR-US: xdLocalStorage CVE-2015-9543 (An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 1 ...) - nova 2:20.1.1-1 (bug #951635) [buster] - nova (Minor issue) [stretch] - nova (Minor issue) [jessie] - nova (Minor issue) NOTE: https://launchpad.net/bugs/1492140 NOTE: https://review.opendev.org/220622 NOTE: https://www.openwall.com/lists/oss-security/2020/02/19/2 CVE-2015-9542 (add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correct ...) {DLA-2304-1 DLA-2116-1} - libpam-radius-auth 1.4.0-3 (bug #951396) [buster] - libpam-radius-auth 1.4.0-3~deb10u1 NOTE: https://github.com/FreeRADIUS/pam_radius/commit/01173ec NOTE: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d NOTE: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1686980 CVE-2015-9541 (Qt through 5.14 allows an exponential XML entity expansion attack via ...) - qtbase-opensource-src 5.12.5+dfsg-9 (low; bug #951066) [buster] - qtbase-opensource-src (Minor issue) [stretch] - qtbase-opensource-src (Minor issue) [jessie] - qtbase-opensource-src (Minor issue; upstream patches use not-yet-available QStringView API) NOTE: https://bugreports.qt.io/browse/QTBUG-47417 NOTE: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=fd4be84d23a0db4186cb42e736a9de3af722c7f7 NOTE: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f432c08882ffebe5074ea28de871559a98a4d094 (5.12 backport) CVE-2015-9540 (Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open red ...) NOT-FOR-US: Chamilo LMS CVE-2015-9539 (The Fast Secure Contact Form plugin before 4.0.38 for WordPress allows ...) NOT-FOR-US: Fast Secure Contact Form plugin for WordPress CVE-2015-9538 (The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Dire ...) NOT-FOR-US: NextGEN Gallery plugin for WordPress CVE-2015-9537 (The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XS ...) NOT-FOR-US: NextGEN Gallery plugin for WordPress CVE-2015-9536 (The Easy Digital Downloads (EDD) Twenty-Twelve theme for WordPress, as ...) NOT-FOR-US: Wordpress theme CVE-2015-9535 (The Easy Digital Downloads (EDD) Shoppette theme for WordPress, as use ...) NOT-FOR-US: Wordpress theme CVE-2015-9534 (The Easy Digital Downloads (EDD) Quota theme for WordPress, as used wi ...) NOT-FOR-US: Wordpress theme CVE-2015-9533 (The Easy Digital Downloads (EDD) Lattice theme for WordPress, as used ...) NOT-FOR-US: Wordpress theme CVE-2015-9532 (The Easy Digital Downloads (EDD) Digital Store theme for WordPress, as ...) NOT-FOR-US: Wordpress theme CVE-2015-9531 (The Easy Digital Downloads (EDD) Wish Lists extension for WordPress, a ...) NOT-FOR-US: Wordpress plugin CVE-2015-9530 (The Easy Digital Downloads (EDD) Upload File extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9529 (The Easy Digital Downloads (EDD) Stripe extension for WordPress, as us ...) NOT-FOR-US: Wordpress plugin CVE-2015-9528 (The Easy Digital Downloads (EDD) Software Licensing extension for Word ...) NOT-FOR-US: Wordpress plugin CVE-2015-9527 (The Easy Digital Downloads (EDD) Simple Shipping extension for WordPre ...) NOT-FOR-US: Wordpress plugin CVE-2015-9526 (The Easy Digital Downloads (EDD) Reviews extension for WordPress, as u ...) NOT-FOR-US: Wordpress plugin CVE-2015-9525 (The Easy Digital Downloads (EDD) Recurring Payments extension for Word ...) NOT-FOR-US: Wordpress plugin CVE-2015-9524 (The Easy Digital Downloads (EDD) Recount Earnings extension for WordPr ...) NOT-FOR-US: Wordpress plugin CVE-2015-9523 (The Easy Digital Downloads (EDD) Recommended Products extension for Wo ...) NOT-FOR-US: Wordpress plugin CVE-2015-9522 (The Easy Digital Downloads (EDD) QR Code extension for WordPress, as u ...) NOT-FOR-US: Wordpress plugin CVE-2015-9521 (The Easy Digital Downloads (EDD) Pushover Notifications extension for ...) NOT-FOR-US: Wordpress plugin CVE-2015-9520 (The Easy Digital Downloads (EDD) Per Product Emails extension for Word ...) NOT-FOR-US: Wordpress plugin CVE-2015-9519 (The Easy Digital Downloads (EDD) PDF Stamper extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9518 (The Easy Digital Downloads (EDD) PDF Invoices extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9517 (The Easy Digital Downloads (EDD) Manual Purchases extension for WordPr ...) NOT-FOR-US: Wordpress plugin CVE-2015-9516 (The Easy Digital Downloads (EDD) Invoices extension for WordPress, as ...) NOT-FOR-US: Wordpress plugin CVE-2015-9515 (The Easy Digital Downloads (EDD) htaccess Editor extension for WordPre ...) NOT-FOR-US: Wordpress plugin CVE-2015-9514 (The Easy Digital Downloads (EDD) Free Downloads extension for WordPres ...) NOT-FOR-US: Wordpress plugin CVE-2015-9513 (The Easy Digital Downloads (EDD) Favorites extension for WordPress, as ...) NOT-FOR-US: Wordpress plugin CVE-2015-9512 (The Easy Digital Downloads (EDD) CSV Manager extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9511 (The Easy Digital Downloads (EDD) Conditional Success Redirects extensi ...) NOT-FOR-US: Wordpress plugin CVE-2015-9510 (The Easy Digital Downloads (EDD) Cross-sell Upsell extension for WordP ...) NOT-FOR-US: Wordpress plugin CVE-2015-9509 (The Easy Digital Downloads (EDD) Content Restriction extension for Wor ...) NOT-FOR-US: Wordpress plugin CVE-2015-9508 (The Easy Digital Downloads (EDD) Commissions extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9507 (The Easy Digital Downloads (EDD) Attach Accounts to Orders extension f ...) NOT-FOR-US: Wordpress plugin CVE-2015-9506 (The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as ...) NOT-FOR-US: Wordpress plugin CVE-2015-9505 (The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1. ...) NOT-FOR-US: Wordpress plugin CVE-2015-9504 (The weeklynews theme before 2.2.9 for WordPress has XSS via the s para ...) NOT-FOR-US: Wordpress plugin CVE-2015-9503 (The Modern theme before 1.4.2 for WordPress has XSS via the genericons ...) NOT-FOR-US: Wordpress theme CVE-2015-9502 (The Auberge theme before 1.4.5 for WordPress has XSS via the genericon ...) NOT-FOR-US: Wordpress theme CVE-2015-9501 (The Artificial Intelligence theme before 1.2.4 for WordPress has XSS b ...) NOT-FOR-US: Wordpress plugin CVE-2015-9500 (The Exquisite Ultimate Newspaper theme 1.3.3 for WordPress has XSS via ...) NOT-FOR-US: Wordpress plugin CVE-2015-9499 (The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execut ...) NOT-FOR-US: Wordpress plugin CVE-2015-9498 (The wps-hide-login plugin before 1.1 for WordPress has CSRF that affec ...) NOT-FOR-US: Wordpress plugin CVE-2015-9497 (The ad-inserter plugin before 1.5.3 for WordPress has CSRF with result ...) NOT-FOR-US: Wordpress plugin CVE-2015-9496 (The freshmail-newsletter plugin before 1.6 for WordPress has shortcode ...) NOT-FOR-US: Wordpress plugin CVE-2015-9495 (The syndication-links plugin before 1.0.3 for WordPress has XSS via th ...) NOT-FOR-US: Wordpress plugin CVE-2015-9494 (The indieweb-post-kinds plugin before 1.3.1.1 for WordPress has XSS vi ...) NOT-FOR-US: Wordpress plugin CVE-2015-9493 (The my-wish-list plugin before 1.4.2 for WordPress has multiple XSS is ...) NOT-FOR-US: Wordpress plugin CVE-2015-9492 (The ThemeMakers SmartIT Premium Responsive theme through 2015-05-15 fo ...) NOT-FOR-US: ThemeMakers SmartIT Premium Responsive theme for WordPress CVE-2015-9491 (The ThemeMakers Blessing Premium Responsive theme through 2015-05-15 f ...) NOT-FOR-US: ThemeMakers Blessing Premium Responsive theme for WordPress CVE-2015-9490 (The ThemeMakers GamesTheme Premium theme through 2015-05-15 for WordPr ...) NOT-FOR-US: ThemeMakers GamesTheme Premium theme for WordPress CVE-2015-9489 (The ThemeMakers Goodnex Premium Responsive theme through 2015-05-15 fo ...) NOT-FOR-US: ThemeMakers Goodnex Premium Responsive theme for WordPress CVE-2015-9488 (The ThemeMakers Almera Responsive Portfolio Site Template component th ...) NOT-FOR-US: ThemeMakers Almera Responsive Portfolio Site Template component for WordPress CVE-2015-9487 (The ThemeMakers Almera Responsive Portfolio theme through 2015-05-15 f ...) NOT-FOR-US: ThemeMakers Almera Responsive Portfolio theme for WordPress CVE-2015-9486 (The ThemeMakers Axioma Premium Responsive theme through 2015-05-15 for ...) NOT-FOR-US: ThemeMakers Axioma Premium Responsive theme for WordPress CVE-2015-9485 (The ThemeMakers Accio Responsive Parallax One Page Site Template compo ...) NOT-FOR-US: ThemeMakers Accio Responsive Parallax One Page Site Template component for WordPress CVE-2015-9484 (The ThemeMakers Accio One Page Parallax Responsive theme through 2015- ...) NOT-FOR-US: ThemeMakers Accio One Page Parallax Responsive theme for WordPress CVE-2015-9483 (The ThemeMakers Invento Responsive Gallery/Architecture Template compo ...) NOT-FOR-US: ThemeMakers Invento Responsive Gallery/Architecture Template component for WordPress CVE-2015-9482 (The ThemeMakers Car Dealer / Auto Dealer Responsive theme through 2015 ...) NOT-FOR-US: ThemeMakers Car Dealer / Auto Dealer Responsive theme for WordPress CVE-2015-9481 (The ThemeMakers Diplomat | Political theme through 2015-05-15 for Word ...) NOT-FOR-US: ThemeMakers Diplomat | Political theme for WordPress CVE-2015-9480 (The RobotCPA plugin 5 for WordPress has directory traversal via the f. ...) NOT-FOR-US: RobotCPA plugin for WordPress CVE-2015-9479 (The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has a ...) NOT-FOR-US: ACF-Frontend-Display plugin for WordPress CVE-2015-9478 (prettyPhoto before 3.1.6 has js/jquery.prettyPhoto.js XSS. ...) NOT-FOR-US: prettyPhoto CVE-2015-9477 (The Vernissage theme 1.2.8 for WordPress has insufficient restrictions ...) NOT-FOR-US: Vernissage theme for WordPress CVE-2015-9476 (The Teardrop theme 1.8.1 for WordPress has insufficient restrictions o ...) NOT-FOR-US: Teardrop theme for WordPress CVE-2015-9475 (The Pont theme 1.5 for WordPress has insufficient restrictions on opti ...) NOT-FOR-US: Pont theme for WordPress CVE-2015-9474 (The Simpolio theme 1.3.2 for WordPress has insufficient restrictions o ...) NOT-FOR-US: Simpolio theme for WordPress CVE-2015-9473 (The estrutura-basica theme through 2015-09-13 for WordPress has direct ...) NOT-FOR-US: estrutura-basica theme for WordPress CVE-2015-9472 (The incoming-links plugin before 0.9.10b for WordPress has referrers.p ...) NOT-FOR-US: incoming-links plugin for WordPress CVE-2015-9471 (The dzs-zoomsounds plugin through 2.0 for WordPress has admin/upload.p ...) NOT-FOR-US: dzs-zoomsounds plugin for WordPress CVE-2015-9470 (The history-collection plugin through 1.1.1 for WordPress has director ...) NOT-FOR-US: history-collection plugin for WordPress CVE-2015-9469 (The content-grabber plugin 1.0 for WordPress has XSS via obj_field_nam ...) NOT-FOR-US: content-grabber plugin for WordPress CVE-2015-9468 (The broken-link-manager plugin 0.4.5 for WordPress has XSS via the pag ...) NOT-FOR-US: broken-link-manager plugin for WordPress CVE-2015-9467 (The broken-link-manager plugin before 0.5.0 for WordPress has wpslDelU ...) NOT-FOR-US: broken-link-manager plugin for WordPress CVE-2015-9466 (The wti-like-post plugin before 1.4.3 for WordPress has WtiLikePostPro ...) NOT-FOR-US: wti-like-post plugin for WordPress CVE-2015-9465 (The yet-another-stars-rating plugin before 0.9.1 for WordPress has yas ...) NOT-FOR-US: yet-another-stars-rating plugin for WordPress CVE-2015-9464 (The s3bubble-amazon-s3-html-5-video-with-adverts plugin 0.7 for WordPr ...) NOT-FOR-US: s3bubble-amazon-s3-html-5-video-with-adverts plugin for WordPress CVE-2015-9463 (The s3bubble-amazon-s3-audio-streaming plugin 2.0 for WordPress has di ...) NOT-FOR-US: s3bubble-amazon-s3-audio-streaming plugin for WordPress CVE-2015-9462 (The awesome-filterable-portfolio plugin before 1.9 for WordPress has a ...) NOT-FOR-US: awesome-filterable-portfolio plugin for WordPress CVE-2015-9461 (The awesome-filterable-portfolio plugin before 1.9 for WordPress has a ...) NOT-FOR-US: awesome-filterable-portfolio plugin for WordPress CVE-2015-9460 (The booking-system plugin before 2.1 for WordPress has DOPBSPBackEndTr ...) NOT-FOR-US: booking-system plugin for WordPress CVE-2015-9459 (The searchterms-tagging-2 plugin through 1.535 for WordPress has XSS v ...) NOT-FOR-US: searchterms-tagging-2 plugin for WordPress CVE-2015-9458 (The searchterms-tagging-2 plugin through 1.535 for WordPress has SQL i ...) NOT-FOR-US: searchterms-tagging-2 plugin for WordPress CVE-2015-9457 (The pretty-link plugin before 1.6.8 for WordPress has PrliLinksControl ...) NOT-FOR-US: pretty-link plugin for WordPress CVE-2015-9456 (The orbisius-child-theme-creator plugin before 1.2.8 for WordPress has ...) NOT-FOR-US: orbisius-child-theme-creator plugin for WordPress CVE-2015-9455 (The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSR ...) NOT-FOR-US: buddypress-activity-plus plugin for WordPress CVE-2015-9454 (The smooth-slider plugin before 2.7 for WordPress has SQL Injection vi ...) NOT-FOR-US: smooth-slider plugin for WordPress CVE-2015-9453 (The broken-link-manager plugin before 0.6.0 for WordPress has XSS via ...) NOT-FOR-US: broken-link-manager plugin for WordPress CVE-2015-9452 (The nex-forms-express-wp-form-builder plugin before 4.6.1 for WordPres ...) NOT-FOR-US: nex-forms-express-wp-form-builder plugin for WordPress CVE-2015-9451 (The plugmatter-optin-feature-box-lite plugin before 2.0.14 for WordPre ...) NOT-FOR-US: plugmatter-optin-feature-box-lite plugin for WordPress CVE-2015-9450 (The plugmatter-optin-feature-box-lite plugin before 2.0.14 for WordPre ...) NOT-FOR-US: plugmatter-optin-feature-box-lite plugin for WordPress CVE-2015-9449 (The microblog-poster plugin before 1.6.2 for WordPress has SQL Injecti ...) NOT-FOR-US: microblog-poster plugin for WordPress CVE-2015-9448 (The sendpress plugin before 1.2 for WordPress has SQL Injection via th ...) NOT-FOR-US: sendpress plugin for WordPress CVE-2015-9447 (The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQ ...) NOT-FOR-US: unite-gallery-lite plugin for WordPress CVE-2015-9446 (The unite-gallery-lite plugin before 1.5 for WordPress has SQL injecti ...) NOT-FOR-US: unite-gallery-lite plugin for WordPress CVE-2015-9445 (The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQ ...) NOT-FOR-US: unite-gallery-lite plugin for WordPress CVE-2015-9444 (The altos-connect plugin 1.3.0 for WordPress has XSS via the wp-conten ...) NOT-FOR-US: altos-connect plugin for WordPress CVE-2015-9443 (The accurate-form-data-real-time-form-validation plugin 1.2 for WordPr ...) NOT-FOR-US: accurate-form-data-real-time-form-validation plugin for WordPress CVE-2015-9442 (The avenirsoft-directdownload plugin 1.0 for WordPress has CSRF with r ...) NOT-FOR-US: avenirsoft-directdownload plugin for WordPress CVE-2015-9441 (The bookmarkify plugin 2.9.2 for WordPress has CSRF with resultant XSS ...) NOT-FOR-US: bookmarkify plugin for WordPress CVE-2015-9440 (The monetize plugin through 1.03 for WordPress has CSRF with resultant ...) NOT-FOR-US: monetize plugin for WordPress CVE-2015-9439 (The addthis plugin before 5.0.13 for WordPress has CSRF with resultant ...) NOT-FOR-US: addthis plugin for WordPress CVE-2015-9438 (The display-widgets plugin before 2.04 for WordPress has XSS via the w ...) NOT-FOR-US: display-widgets plugin for WordPress CVE-2015-9437 (The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with r ...) NOT-FOR-US: dynamic-widgets plugin for WordPress CVE-2015-9436 (The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the ...) NOT-FOR-US: dynamic-widgets plugin for WordPress CVE-2015-9435 (The oauth2-provider plugin before 3.1.5 for WordPress has incorrect ge ...) NOT-FOR-US: oauth2-provider plugin for WordPress CVE-2015-9434 (The kiwi-logo-carousel plugin before 1.7.2 for WordPress has CSRF with ...) NOT-FOR-US: kiwi-logo-carousel plugin for WordPress CVE-2015-9433 (The wp-social-bookmarking-light plugin before 1.7.10 for WordPress has ...) NOT-FOR-US: wp-social-bookmarking-light plugin for WordPress CVE-2015-9432 (The alpine-photo-tile-for-instagram plugin before 1.2.7.6 for WordPres ...) NOT-FOR-US: alpine-photo-tile-for-instagram plugin for WordPress CVE-2015-9431 (The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resul ...) NOT-FOR-US: qtranslate-x plugin for WordPress CVE-2015-9430 (The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User- ...) NOT-FOR-US: crazy-bone plugin for WordPress CVE-2015-9429 (The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF w ...) NOT-FOR-US: yith-maintenance-mode plugin for WordPress CVE-2015-9428 (The wplegalpages plugin before 1.1 for WordPress has CSRF with resulta ...) NOT-FOR-US: wplegalpages plugin for WordPress CVE-2015-9427 (The googmonify plugin through 0.5.1 for WordPress has CSRF with result ...) NOT-FOR-US: googmonify plugin for WordPress CVE-2015-9426 (The manual-image-crop plugin before 1.11 for WordPress has CSRF with r ...) NOT-FOR-US: manual-image-crop plugin for WordPress CVE-2015-9425 (The social-locker plugin before 4.2.5 for WordPress has CSRF with resu ...) NOT-FOR-US: social-locker plugin for WordPress CVE-2015-9424 (The multicons plugin before 3.0 for WordPress has CSRF with resultant ...) NOT-FOR-US: multicons plugin for WordPress CVE-2015-9423 (The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XS ...) NOT-FOR-US: PlugNedit Adaptive Editor plugin for WordPress CVE-2015-9422 (The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has CS ...) NOT-FOR-US: PlugNedit Adaptive Editor plugin for WordPress CVE-2015-9421 (The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF wi ...) NOT-FOR-US: olevmedia-shortcodes plugin for WordPress CVE-2015-9420 (The soundcloud-is-gold plugin before 2.3.2 for WordPress has XSS via t ...) NOT-FOR-US: soundcloud-is-gold plugin for WordPress CVE-2015-9419 (The captain-slider plugin 1.0.6 for WordPress has XSS via a Title or C ...) NOT-FOR-US: captain-slider plugin for WordPress CVE-2015-9418 (The Watu Pro plugin before 4.9.0.8 for WordPress has CSRF that allows ...) NOT-FOR-US: Watu Pro plugin for WordPress CVE-2015-9417 (The testimonial-slider plugin through 1.2.1 for WordPress has CSRF wit ...) NOT-FOR-US: testimonial-slider plugin for WordPress CVE-2015-9416 (The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPr ...) NOT-FOR-US: Wordpress plugin CVE-2015-9415 (The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclu ...) NOT-FOR-US: bj-lazy-load plugin for WordPress CVE-2015-9414 (The wp-symposium plugin through 15.8.1 for WordPress has XSS via the w ...) NOT-FOR-US: wp-symposium plugin for WordPress CVE-2015-9413 (The eshop plugin through 6.3.13 for WordPress has CSRF with resultant ...) NOT-FOR-US: eshop plugin for WordPress CVE-2015-9412 (The Royal-Slider plugin before 3.2.7 for WordPress has XSS via the rst ...) NOT-FOR-US: Royal-Slider plugin for WordPress CVE-2015-9411 (The Postmatic plugin before 1.4.6 for WordPress has XSS. ...) NOT-FOR-US: Postmatic plugin for WordPress CVE-2015-9410 (The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS v ...) NOT-FOR-US: Blubrry PowerPress Podcasting plugin for WordPress CVE-2015-9409 (The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resu ...) NOT-FOR-US: Wordpress plugin CVE-2015-9408 (The xpinner-lite plugin through 2.2 for WordPress has wp-admin/options ...) NOT-FOR-US: xpinner-lite plugin for WordPress CVE-2015-9407 (The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php ...) NOT-FOR-US: xpinner-lite plugin for WordPress CVE-2015-9406 (Directory traversal vulnerability in the mTheme-Unus theme before 2.3 ...) NOT-FOR-US: mTheme-Unus theme for WordPress CVE-2015-9405 (The wp-piwik plugin before 1.0.5 for WordPress has XSS. ...) NOT-FOR-US: wp-piwik plugin for WordPress CVE-2015-9404 (The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_keywords XSS. ...) NOT-FOR-US: neuvoo-jobroll plugin for WordPress CVE-2015-9403 (The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_location XSS. ...) NOT-FOR-US: neuvoo-jobroll plugin for WordPress CVE-2015-9402 (The users-ultra plugin before 1.5.59 for WordPress has uultra-form-cvs ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9401 (The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/to ...) NOT-FOR-US: websimon-tables plugin for WordPress CVE-2015-9400 (The wordpress-meta-robots plugin through 2.1 for WordPress has wp-admi ...) NOT-FOR-US: wordpress-meta-robots plugin for WordPress CVE-2015-9399 (The wp-stats-dashboard plugin through 2.9.4 for WordPress has admin/gr ...) NOT-FOR-US: wp-stats-dashboard plugin for WordPress CVE-2015-9398 (The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php ...) NOT-FOR-US: gocodes plugin for WordPress CVE-2015-9397 (The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php ...) NOT-FOR-US: gocodes plugin for WordPress CVE-2015-9396 (The auto-thickbox-plus plugin through 1.9 for WordPress has wp-content ...) NOT-FOR-US: auto-thickbox-plus plugin for WordPress CVE-2015-9395 (The users-ultra plugin before 1.5.64 for WordPress has SQL Injection v ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9394 (The users-ultra plugin before 1.5.63 for WordPress has CSRF via action ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9393 (The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_d ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9392 (The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_n ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9391 (The yawpp plugin through 1.2.2 for WordPress has XSS via the field1 pa ...) NOT-FOR-US: yawpp plugin for WordPress CVE-2015-9390 (The admin-management-xtended plugin before 2.4.0.1 for WordPress has p ...) NOT-FOR-US: admin-management-xtended plugin for WordPress CVE-2015-9389 (The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz n ...) NOT-FOR-US: mtouch-quiz plugin for WordPress CVE-2015-9388 (The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/edit.ph ...) NOT-FOR-US: mtouch-quiz plugin for WordPress CVE-2015-9387 (The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/options ...) NOT-FOR-US: mtouch-quiz plugin for WordPress CVE-2015-9386 (The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via the quiz ...) NOT-FOR-US: mtouch-quiz plugin for WordPress CVE-2015-9385 (The quotes-and-tips plugin before 1.20 for WordPress has XSS. ...) NOT-FOR-US: quotes-and-tips plugin for WordPress CVE-2015-9384 (The relevant plugin before 1.0.8 for WordPress has XSS. ...) NOT-FOR-US: relevant plugin for WordPress CVE-2015-9383 (FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_v ...) {DLA-1909-1} - freetype 2.6.3-1 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=57cbb8c148999ba8f14ed53435fc071ac9953afd NOTE: https://savannah.nongnu.org/bugs/?46346 CVE-2015-9382 (FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/ ...) {DLA-1909-1} - freetype 2.6.1-0.1 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/psaux/psobjs.c?id=db5a4a9ae7b0048f033361744421da8569642f73 NOTE: https://savannah.nongnu.org/bugs/?45922 CVE-2015-9381 (FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Priv ...) {DLA-1909-1} - freetype 2.6.1-0.1 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/type1/t1parse.c?id=7962a15d64c876870ca0ae435ea2467d9be268d9 NOTE: https://savannah.nongnu.org/bugs/?45955 CVE-2015-9380 (The photo-gallery plugin before 1.2.42 for WordPress has CSRF. ...) NOT-FOR-US: photo-gallery plugin for WordPress CVE-2015-9379 (iThemes Builder Style Manager before 0.7.7 for WordPress has XSS via a ...) NOT-FOR-US: Wordpress plugin CVE-2015-9378 (iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via a ...) NOT-FOR-US: Wordpress plugin CVE-2015-9377 (iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via ad ...) NOT-FOR-US: Wordpress plugin CVE-2015-9376 (iThemes Mobile before 1.2.8 for WordPress has XSS via add_query_arg() ...) NOT-FOR-US: Wordpress plugin CVE-2015-9375 (Table Rate Shipping Add-on for iThemes Exchange before 1.1.0 for WordP ...) NOT-FOR-US: Wordpress plugin CVE-2015-9374 (Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS ...) NOT-FOR-US: Wordpress plugin CVE-2015-9373 (PayPal Pro Add-on for iThemes Exchange before 1.1.0 for WordPress has ...) NOT-FOR-US: Wordpress plugin CVE-2015-9372 (Membership Add-on for iThemes Exchange before 1.3.0 for WordPress has ...) NOT-FOR-US: Wordpress plugin CVE-2015-9371 (Manual Purchases Add-on for iThemes Exchange before 1.1.0 for WordPres ...) NOT-FOR-US: Wordpress plugin CVE-2015-9370 (Invoices Add-on for iThemes Exchange before 1.4.0 for WordPress has XS ...) NOT-FOR-US: Wordpress plugin CVE-2015-9369 (Easy US Sales Taxes Add-on for iThemes Exchange before 1.1.0 for WordP ...) NOT-FOR-US: Wordpress plugin CVE-2015-9368 (Easy EU Value Added (VAT) Taxes Add-on for iThemes Exchange before 1.2 ...) NOT-FOR-US: Wordpress plugin CVE-2015-9367 (Easy Canadian Sales Taxes Add-on for iThemes Exchange before 1.1.0 for ...) NOT-FOR-US: Wordpress plugin CVE-2015-9366 (Custom URL Tracking Add-on for iThemes Exchange before 1.1.0 for WordP ...) NOT-FOR-US: Wordpress plugin CVE-2015-9365 (Authorize.net Add-on for iThemes Exchange before 1.1.0 for WordPress h ...) NOT-FOR-US: Wordpress plugin CVE-2015-9364 (2Checkout Add-on for iThemes Exchange before 1.1.0 for WordPress has X ...) NOT-FOR-US: Wordpress plugin CVE-2015-9363 (iThemes Exchange before 1.12.0 for WordPress has XSS via add_query_arg ...) NOT-FOR-US: Wordpress plugin CVE-2015-9362 (The Post Connector plugin before 1.0.4 for WordPress has XSS via add_q ...) NOT-FOR-US: Post Connector plugin for WordPress CVE-2015-9361 (The Related Posts plugin before 1.8.2 for WordPress has XSS via add_qu ...) NOT-FOR-US: Related Posts plugin for WordPress CVE-2015-9360 (The updraftplus plugin before 1.9.64 for WordPress has XSS via add_que ...) NOT-FOR-US: updraftplus plugin for WordPress CVE-2015-9359 (The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_ar ...) NOT-FOR-US: Jetpack plugin for WordPress CVE-2015-9358 (The feedwordpress plugin before 2015.0514 for WordPress has XSS via ad ...) NOT-FOR-US: feedwordpress plugin for WordPress CVE-2015-9357 (The akismet plugin before 3.1.5 for WordPress has XSS. ...) NOT-FOR-US: akismet plugin for WordPress CVE-2015-9356 (The wp-vipergb plugin before 1.3.16 for WordPress has XSS via add_quer ...) NOT-FOR-US: wp-vipergb plugin for WordPress CVE-2015-9355 (The two-factor-authentication plugin before 1.1.10 for WordPress has X ...) NOT-FOR-US: two-factor-authentication plugin for WordPress CVE-2015-9354 (The gigpress plugin before 2.3.11 for WordPress has XSS. ...) NOT-FOR-US: gigpress plugin for WordPress CVE-2015-9353 (The gigpress plugin before 2.3.11 for WordPress has SQL injection in t ...) NOT-FOR-US: gigpress plugin for WordPress CVE-2015-9352 (The wp-polls plugin before 2.72 for WordPress has SQL injection. ...) NOT-FOR-US: wp-polls plugin for WordPress CVE-2015-9351 (The feed-them-social plugin before 1.7.0 for WordPress has possible sh ...) NOT-FOR-US: feed-them-social plugin for WordPress CVE-2015-9350 (The feed-them-social plugin before 1.7.0 for WordPress has reflected X ...) NOT-FOR-US: feed-them-social plugin for WordPress CVE-2015-9349 (The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has ref ...) NOT-FOR-US: ckeditor-for-wordpress plugin for WordPress CVE-2015-9348 (The sell-downloads plugin before 1.0.8 for WordPress has insufficient ...) NOT-FOR-US: sell-downloads plugin for WordPress CVE-2015-9347 (The wp-plotly plugin before 1.0.3 for WordPress has XSS by authors. ...) NOT-FOR-US: wp-plotly plugin for WordPress CVE-2015-9346 (The cp-polls plugin before 1.0.5 for WordPress has XSS. ...) NOT-FOR-US: cp-polls plugin for WordPress CVE-2015-9345 (The link-log plugin before 2.0 for WordPress has HTTP Response Splitti ...) NOT-FOR-US: link-log plugin for WordPress CVE-2015-9344 (The link-log plugin before 2.1 for WordPress has SQL injection. ...) NOT-FOR-US: link-log plugin for WordPress CVE-2015-9343 (The wp-rollback plugin before 1.2.3 for WordPress has CSRF. ...) NOT-FOR-US: wp-rollback plugin for WordPress CVE-2015-9342 (The wp-rollback plugin before 1.2.3 for WordPress has XSS. ...) NOT-FOR-US: wp-rollback plugin for WordPress CVE-2015-9341 (The wp-file-upload plugin before 3.4.1 for WordPress has insufficient ...) NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9340 (The wp-file-upload plugin before 3.0.0 for WordPress has insufficient ...) NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9339 (The wp-file-upload plugin before 2.7.1 for WordPress has insufficient ...) NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9338 (The wp-file-upload plugin before 2.5.0 for WordPress has insufficient ...) NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9337 (The profile-builder plugin before 2.1.4 for WordPress has no access co ...) NOT-FOR-US: profile-builder plugin for WordPress CVE-2015-9336 (The clean-login plugin before 1.5.1 for WordPress has reflected XSS. ...) NOT-FOR-US: clean-login plugin for WordPress CVE-2015-9335 (The limit-attempts plugin before 1.1.1 for WordPress has SQL injection ...) NOT-FOR-US: limit-attempts plugin for WordPress CVE-2015-9334 (The email-newsletter plugin through 20.15 for WordPress has SQL inject ...) NOT-FOR-US: email-newsletter plugin for WordPress CVE-2015-9333 (The cforms2 plugin before 14.6.10 for WordPress has SQL injection. ...) NOT-FOR-US: cforms2 plugin for WordPress CVE-2015-9332 (The uninstall plugin before 1.2 for WordPress has CSRF to delete all t ...) NOT-FOR-US: Wordpress plugin CVE-2015-9331 (The wp-all-import plugin before 3.2.4 for WordPress has no prevention ...) NOT-FOR-US: Wordpress plugin CVE-2015-9330 (The wp-all-import plugin before 3.2.5 for WordPress has blind SQL inje ...) NOT-FOR-US: Wordpress plugin CVE-2015-9329 (The wp-all-import plugin before 3.2.5 for WordPress has reflected XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2015-9328 (The profile-builder plugin before 2.2.5 for WordPress has XSS. ...) NOT-FOR-US: profile-builder plugin for WordPress CVE-2015-9327 (The flickr-justified-gallery plugin before 3.4.0 for WordPress has XSS ...) NOT-FOR-US: flickr-justified-gallery plugin for WordPress CVE-2015-9326 (The wp-business-intelligence-lite plugin before 1.6.3 for WordPress ha ...) NOT-FOR-US: wp-business-intelligence-lite plugin for WordPress CVE-2015-9325 (The visitors-online plugin before 0.4 for WordPress has SQL injection. ...) NOT-FOR-US: visitors-online plugin for WordPress CVE-2015-9324 (The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL i ...) NOT-FOR-US: easy-digital-downloads plugin for WordPress CVE-2015-9323 (The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection. ...) NOT-FOR-US: 404-to-301 plugin for WordPress CVE-2015-9322 (The erident-custom-login-and-dashboard plugin before 3.5 for WordPress ...) NOT-FOR-US: erident-custom-login-and-dashboard plugin for WordPress CVE-2015-9321 (The shortcode-factory plugin before 1.1.1 for WordPress has XSS via ad ...) NOT-FOR-US: shortcode-factory plugin for WordPress CVE-2015-9320 (The option-tree plugin before 2.5.4 for WordPress has XSS related to a ...) NOT-FOR-US: Wordpress plugin CVE-2015-9319 (The gregs-high-performance-seo plugin before 1.6.2 for WordPress has X ...) NOT-FOR-US: Wordpress plugin CVE-2015-9318 (The awesome-support plugin before 3.1.7 for WordPress has a security i ...) NOT-FOR-US: Wordpress plugin CVE-2015-9317 (The awesome-support plugin before 3.1.7 for WordPress has XSS via cust ...) NOT-FOR-US: Wordpress plugin CVE-2015-9316 (The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injec ...) NOT-FOR-US: wp-fastest-cache plugin for WordPress CVE-2015-9315 (The newstatpress plugin before 1.0.1 for WordPress has SQL injection. ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9314 (The newstatpress plugin before 1.0.4 for WordPress has XSS related to ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9313 (The newstatpress plugin before 1.0.5 for WordPress has SQL injection r ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9312 (The newstatpress plugin before 1.0.5 for WordPress has XSS related to ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9311 (The newstatpress plugin before 1.0.6 for WordPress has reflected XSS. ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9310 (The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2015-9309 (The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF i ...) NOT-FOR-US: wp-google-map-plugin plugin for WordPress CVE-2015-9308 (The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF i ...) NOT-FOR-US: wp-google-map-plugin plugin for WordPress CVE-2015-9307 (The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF i ...) NOT-FOR-US: wp-google-map-plugin plugin for WordPress CVE-2015-9306 (The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS ...) NOT-FOR-US: wp-ultimate-csv-importer plugin for WordPress CVE-2015-9305 (The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS rel ...) NOT-FOR-US: wp-google-map-plugin plugin for WordPress CVE-2015-9304 (The ultimate-member plugin before 1.3.18 for WordPress has XSS via tex ...) NOT-FOR-US: ultimate-member plugin for WordPress CVE-2015-9303 (The simple-share-buttons-adder plugin before 6.0.0 for WordPress has X ...) NOT-FOR-US: simple-share-buttons-adder plugin for WordPress CVE-2015-9302 (The simple-fields plugin before 1.4.11 for WordPress has XSS. ...) NOT-FOR-US: simple-fields plugin for WordPress CVE-2015-9301 (The liveforms plugin before 3.2.0 for WordPress has SQL injection. ...) NOT-FOR-US: liveforms plugin for WordPress CVE-2015-9300 (The events-manager plugin before 5.5.7 for WordPress has multiple XSS ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2015-9299 (The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS. ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2015-9298 (The events-manager plugin before 5.6 for WordPress has code injection. ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2015-9297 (The events-manager plugin before 5.6 for WordPress has XSS. ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2015-9296 (The download-monitor plugin before 1.7.1 for WordPress has XSS related ...) NOT-FOR-US: download-monitor plugin for WordPress CVE-2015-9295 (The contact-form-plugin plugin before 3.96 for WordPress has XSS. ...) NOT-FOR-US: contact-form-plugin plugin for WordPress CVE-2015-9294 (The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2015-9293 (The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2015-9292 (6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code p ...) NOT-FOR-US: 6kbbs CVE-2015-9291 (cPanel before 11.52.0.13 does not prevent arbitrary file-read operatio ...) NOT-FOR-US: cPanel CVE-2015-9290 (In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c ...) {DLA-1887-1} - freetype 2.6.1-0.1 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/type1/t1parse.c?id=e3058617f384cb6709f3878f753fa17aca9e3a30 NOTE: https://savannah.nongnu.org/bugs/?45923 CVE-2015-9289 (In the Linux kernel before 4.1.4, a buffer overflow occurs when checki ...) - linux 4.1.5-1 NOTE: https://git.kernel.org/linus/1fa2337a315a2448c5434f41e00d56b01a22283c CVE-2015-9288 (The Unity Web Player plugin before 4.6.6f2 and 5.x before 5.0.3f2 allo ...) NOT-FOR-US: Unity Web Player plugin CVE-2015-9287 (Directory Traversal was discovered in University of Cambridge mod_ucam ...) NOT-FOR-US: mod_ucam_webauth CVE-2015-9286 (Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 ha ...) NOT-FOR-US: NodeBB CVE-2015-9285 (esoTalk 1.0.0g4 has XSS via the PATH_INFO to the conversations/ URI. ...) NOT-FOR-US: esoTalk CVE-2015-9284 (The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vuln ...) - ruby-omniauth (bug #973384) [bullseye] - ruby-omniauth (Minor issue) [buster] - ruby-omniauth (Minor issue) [stretch] - ruby-omniauth (Minor issue) [jessie] - ruby-omniauth (Fix is in additional gem and needs CSRF protection in apps) NOTE: https://github.com/omniauth/omniauth/pull/809 NOTE: https://www.openwall.com/lists/oss-security/2015/05/26/11 CVE-2015-9283 RESERVED CVE-2015-9282 (The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerabl ...) NOT-FOR-US: Grafana plugin CVE-2015-9281 (Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows r ...) NOT-FOR-US: SAS Web Infrastructure Platform CVE-2015-9280 (MailEnable before 8.60 allows XXE via an XML document in the request.a ...) NOT-FOR-US: MailEnable CVE-2015-9279 (MailEnable before 8.60 allows Stored XSS via malformed use of "<img ...) NOT-FOR-US: MailEnable CVE-2015-9278 (MailEnable before 8.60 allows Privilege Escalation because admin accou ...) NOT-FOR-US: MailEnable CVE-2015-9277 (MailEnable before 8.60 allows Directory Traversal for reading the mess ...) NOT-FOR-US: MailEnable CVE-2015-9276 (SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2015-9274 (HarfBuzz before 1.0.4 allows remote attackers to cause a denial of ser ...) - harfbuzz 1.2.6-1 [jessie] - harfbuzz (Vulnerable code introduced later) NOTE: https://github.com/harfbuzz/harfbuzz/commit/c917965b9e6fe2b21ed6c51559673288fa3af4b7 CVE-2015-9273 (The wp-slimstat (aka Slimstat Analytics) plugin before 4.1.6.1 for Wor ...) NOT-FOR-US: WordPress plugin wp-slimstat CVE-2015-9272 (The videowhisper-video-presentation plugin 3.31.17 for WordPress allow ...) NOT-FOR-US: videowhisper-video-presentation plugin for WordPress CVE-2015-9271 (The VideoWhisper videowhisper-video-conference-integration plugin 4.91 ...) NOT-FOR-US: WordPress plugin videowhisper-video-conference-integration CVE-2015-9270 (XSS exists in the the-holiday-calendar plugin before 1.11.3 for WordPr ...) NOT-FOR-US: the-holiday-calendar plugin for WordPress CVE-2015-9269 (The export/content.php exportarticle feature in the wordpress-mobile-p ...) NOT-FOR-US: wordpress-mobile-pack plugin for WordPress CVE-2015-9268 (Nullsoft Scriptable Install System (NSIS) before 2.49 has unsafe impli ...) {DLA-1602-1} - nsis 2.50-1 NOTE: https://sourceforge.net/p/nsis/bugs/1125/ CVE-2015-9267 (Nullsoft Scriptable Install System (NSIS) before 2.49 uses temporary f ...) {DLA-1602-1} - nsis 2.50-1 NOTE: https://sourceforge.net/p/nsis/bugs/1125/ CVE-2015-9266 (The web management interface of Ubiquiti airMAX, airFiber, airGateway ...) NOT-FOR-US: Ubiquiti CVE-2015-9265 REJECTED CVE-2015-9264 (Lansweeper 4.x through 6.x before 6.0.0.48 allows attackers to execute ...) NOT-FOR-US: Lansweeper CVE-2015-9263 (An issue was discovered in post2file.php in Up.Time Monitoring Station ...) NOT-FOR-US: Up.Time CVE-2015-9262 (_XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows ...) {DLA-1469-1} - libxcursor 1:1.1.15-1 (low; bug #906012) [stretch] - libxcursor 1:1.1.14-1+deb9u2 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=90857 NOTE: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=897213f36baf6926daf6d192c709cf627aa5fd05 CVE-2015-9260 (An issue was discovered in BEdita before 3.7.0. A cross-site scripting ...) NOT-FOR-US: BEdita CVE-2015-9259 (In Docker Notary before 0.1, the checkRoot function in gotuf/client/cl ...) - notary 0.1~ds1-1 CVE-2015-9258 (In Docker Notary before 0.1, gotuf/signed/verify.go has a Signature Al ...) - notary 0.1~ds1-1 CVE-2015-9257 (BMC Remedy Action Request (AR) System 9.0 before 9.0.00 Service Pack 2 ...) NOT-FOR-US: BMC Remedy Action Request (AR) System CVE-2015-9256 (Datto ALTO and SIRIS devices allow remote attackers to obtain sensitiv ...) NOT-FOR-US: Datto ALTO and SIRIS devices CVE-2015-9255 (Datto ALTO and SIRIS devices allow remote attackers to obtain sensitiv ...) NOT-FOR-US: Datto ALTO and SIRIS devices CVE-2015-9254 (Datto ALTO and SIRIS devices have a default VNC password. ...) NOT-FOR-US: Datto ALTO and SIRIS devices CVE-2015-9253 (An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before ...) - php7.3 (Fixed with initial upload to unstable) - php7.2 7.2.8-1 (unimportant) - php7.1 7.1.20-1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: https://bugs.php.net/bug.php?id=73342 NOTE: https://bugs.php.net/bug.php?id=70185 NOTE: https://bugs.php.net/bug.php?id=75968 NOTE: Only exploitable with malicious script CVE-2015-9252 (An issue was discovered in QPDF before 7.0.0. Endless recursion causes ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/701b518d5c56a1449825a3a37a716c58e05e1c3e NOTE: https://github.com/qpdf/qpdf/issues/51 CVE-2015-1142857 (On multiple SR-IOV cars it is possible for VF's assigned to guests to ...) NOT-FOR-US: SR-IOV cars CVE-2015-9251 (jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attack ...) - jquery 3.1.1-1 [jessie] - jquery (Too intrusive to backport) [wheezy] - jquery (Too invasive to fix) NOTE: https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc NOTE: https://github.com/jquery/jquery/issues/2432 NOTE: https://github.com/jquery/jquery/pull/2588 NOTE: https://snyk.io/vuln/npm:jquery:20150627 NOTE: only 3.0 was fixed upstream, because fix considered too invasive: https://github.com/jquery/jquery/issues/2432#issuecomment-290983196 CVE-2015-9250 (An issue was discovered in Skybox Platform before 7.5.201. Directory T ...) NOT-FOR-US: Skybox Platform CVE-2015-9249 (An issue was discovered in Skybox Platform before 7.5.201. SQL Injecti ...) NOT-FOR-US: Skybox Platform CVE-2015-9248 (An issue was discovered in Skybox Platform before 7.5.201. Stored cros ...) NOT-FOR-US: Skybox Platform CVE-2015-9247 (An issue was discovered in Skybox Platform before 7.5.401. Reflected c ...) NOT-FOR-US: Skybox Platform CVE-2015-9246 (An issue was discovered in Skybox Platform before 7.5.201. Remote Unau ...) NOT-FOR-US: Skybox Platform CVE-2015-9245 (Insecure default configuration in Progress Software OpenEdge 10.2x and ...) NOT-FOR-US: Progress Software OpenEdge CVE-2015-9243 (When server level, connection level or route level CORS configurations ...) NOT-FOR-US: hapi CVE-2015-9242 (Certain input strings when passed to new Date() or Date.parse() in ecs ...) NOT-FOR-US: ecstatic CVE-2015-9241 (Certain input passed into the If-Modified-Since or Last-Modified heade ...) NOT-FOR-US: hapi CVE-2015-9240 (Due to a bug in the the default sign in functionality in the keystone ...) NOT-FOR-US: keystone node module CVE-2015-9239 (ansi2html is vulnerable to regular expression denial of service (ReDoS ...) NOT-FOR-US: ansi2html CVE-2015-9238 (secure-compare 3.0.0 and below do not actually compare two strings pro ...) NOT-FOR-US: secure-compare node module CVE-2015-9237 RESERVED CVE-2015-9236 (Hapi versions less than 11.0.0 implement CORS incorrectly and allowed ...) NOT-FOR-US: hapi CVE-2015-9235 (In jsonwebtoken node module before 4.2.2 it is possible for an attacke ...) NOT-FOR-US: jsonwebtoken node module CVE-2015-9234 (The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plug ...) NOT-FOR-US: Wordpress plugin CVE-2015-9233 (The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plug ...) NOT-FOR-US: Wordpress plugin CVE-2015-9232 (The Good for Enterprise application 3.0.0.415 for Android does not use ...) NOT-FOR-US: Good for Enterprise application for Android CVE-2015-9231 (iTerm2 3.x before 3.1.1 allows remote attackers to discover passwords ...) NOT-FOR-US: iTerm2 CVE-2015-9230 (In the admin/db-backup-security/db-backup-security.php page in the Bul ...) NOT-FOR-US: Wordpress plugin CVE-2015-9229 (In the nggallery-manage-gallery page in the Photocrati NextGEN Gallery ...) NOT-FOR-US: Photocrati NextGEN Gallery CVE-2015-9228 (In post-new.php in the Photocrati NextGEN Gallery plugin 2.1.10 for Wo ...) NOT-FOR-US: Photocrati NextGEN Gallery plugin for WordPress CVE-2015-9227 (PHP remote file inclusion vulnerability in the get_file function in up ...) NOT-FOR-US: AlegroCart CVE-2015-9226 (Multiple SQL injection vulnerabilities in AlegroCart 1.2.8 allow remot ...) NOT-FOR-US: AlegroCart CVE-2015-9225 REJECTED CVE-2015-9224 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9223 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9222 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9221 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9220 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9219 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9218 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9217 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9216 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9215 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9214 REJECTED CVE-2015-9213 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9212 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9211 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9210 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9209 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9208 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9207 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9206 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9205 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9204 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9203 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9202 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9201 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9200 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9199 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9198 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9197 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9196 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9195 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9194 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9193 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9192 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9191 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9190 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9189 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9188 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9187 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9186 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9185 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9184 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9183 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9182 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9181 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9180 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9179 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9178 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9177 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9176 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9175 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9174 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9173 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9172 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9171 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9170 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9169 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9168 REJECTED CVE-2015-9167 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9166 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9165 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9164 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9163 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9162 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9161 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9160 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9159 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9158 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9157 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9156 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9155 REJECTED CVE-2015-9154 REJECTED CVE-2015-9153 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9152 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9151 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9150 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9149 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9148 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9147 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9146 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9145 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9144 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9143 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9142 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9141 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9140 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9139 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9138 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9137 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9136 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9135 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9134 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9133 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9132 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9131 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9130 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9129 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9128 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9127 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9126 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9125 REJECTED CVE-2015-9124 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9123 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9122 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9121 REJECTED CVE-2015-9120 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9119 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9118 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9117 REJECTED CVE-2015-9116 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9115 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9114 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9113 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9112 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9111 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9110 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9109 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9108 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9107 (Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption a ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2015-9106 RESERVED NOT-FOR-US: WordPress plugin the-holiday-calendar CVE-2015-9105 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Video ...) NOT-FOR-US: Synology CVE-2015-9104 (Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5 ...) NOT-FOR-US: Synology CVE-2015-9103 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Note S ...) NOT-FOR-US: Synology CVE-2015-9102 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo ...) NOT-FOR-US: Synology CVE-2015-9098 (In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attack ...) NOT-FOR-US: Redgate SQL Monitor CVE-2015-9096 (Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection ...) {DSA-3966-1 DLA-1421-1} - ruby2.3 2.3.3-1+deb9u1 (bug #864860) - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Minor issue, Net::SMTP users should validate data they send too) - ruby1.8 [wheezy] - ruby1.8 (Minor issue, Net::SMTP users should validate data they send too) NOTE: https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee NOTE: https://github.com/rubysec/ruby-advisory-db/issues/215 CVE-2015-9095 REJECTED CVE-2015-9094 REJECTED CVE-2015-9093 REJECTED CVE-2015-9092 REJECTED CVE-2015-9091 REJECTED CVE-2015-9090 REJECTED CVE-2015-9089 REJECTED CVE-2015-9088 REJECTED CVE-2015-9087 REJECTED CVE-2015-9086 REJECTED CVE-2015-9085 REJECTED CVE-2015-9084 REJECTED CVE-2015-9083 REJECTED CVE-2015-9082 REJECTED CVE-2015-9081 REJECTED CVE-2015-9080 REJECTED CVE-2015-9079 REJECTED CVE-2015-9078 REJECTED CVE-2015-9077 REJECTED CVE-2015-9076 REJECTED CVE-2015-9075 REJECTED CVE-2015-9074 REJECTED CVE-2015-9073 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9072 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9071 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9070 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9069 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9068 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9067 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9066 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9065 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9064 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9063 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9062 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9061 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9060 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9059 (picocom before 2.0 has a command injection vulnerability in the 'send ...) {DLA-2259-1 DLA-974-1} - picocom 1.7-2 (bug #863671) NOTE: https://github.com/npat-efault/picocom/commit/1ebc60b20fbe9a02436d5cbbf8951714e749ddb1 CVE-2015-9058 (Open redirect vulnerability in Proxmox Mail Gateway prior to hotfix 4. ...) NOT-FOR-US: Proxmox Mail Gateway CVE-2015-9057 (Multiple cross-site scripting (XSS) vulnerabilities in Proxmox Mail Ga ...) NOT-FOR-US: Proxmox Mail Gateway CVE-2015-9056 (Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attac ...) - kibana (bug #700337) CVE-2015-9055 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9054 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9053 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9052 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9051 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9050 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9049 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9048 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9047 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9046 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9045 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9044 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9043 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9042 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9041 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9040 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9039 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9038 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9037 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9036 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9035 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9034 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9033 (In all Android releases from CAF using the Linux kernel, a QTEE system ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9032 (In all Android releases from CAF using the Linux kernel, a DRM key was ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9031 (In all Android releases from CAF using the Linux kernel, a TZ memory a ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9030 (In all Android releases from CAF using the Linux kernel, the Hyperviso ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9029 (In all Android releases from CAF using the Linux kernel, a vulnerabili ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9028 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9027 (In all Android releases from CAF using the Linux kernel, an untrusted ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9026 (In all Android releases from CAF using the Linux kernel, an untrusted ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9025 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9024 (In all Android releases from CAF using the Linux kernel, some interfac ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9023 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9022 (In all Android releases from CAF using the Linux kernel, time-of-check ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9021 (In all Android releases from CAF using the Linux kernel, access contro ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9020 (In all Android releases from CAF using the Linux kernel, an untrusted ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9019 (In libxslt 1.1.29 and earlier, the EXSLT math.random function was not ...) - libxslt (unimportant; bug #859796) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758400 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=934119 NOTE: There's no indication that math.random() in intended to ensure cryptographic NOTE: randomness requirements. Proper seeding needs to happen in the application NOTE: using libxslt. CVE-2015-9018 RESERVED CVE-2015-9017 RESERVED CVE-2015-9016 (In blk_mq_tag_to_rq in blk-mq.c in the upstream kernel, there is a pos ...) {DSA-4187-1} - linux 4.2.3-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/0048b4837affd153897ed1222283492070027aa9 (4.3-rc1) CVE-2015-9015 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9014 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9013 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9012 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9011 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9010 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9009 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9008 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9007 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9006 (In Resource Power Manager (RPM) in all Android releases from CAF using ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9005 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9004 (kernel/events/core.c in the Linux kernel before 3.19 mishandles counte ...) - linux 3.16.7-ckt7-1 [wheezy] - linux (Vulnerable code not present) CVE-2015-9003 (In TrustZone a cryptographic issue can potentially occur in all Androi ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9002 (In TrustZone an out-of-range pointer offset vulnerability can potentia ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9001 (In TrustZone an information exposure vulnerability can potentially occ ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9000 (In TrustZone an untrusted pointer dereference vulnerability can potent ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8999 (In TrustZone a buffer overflow vulnerability can potentially occur in ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8998 (In TrustZone an integer overflow vulnerability can potentially occur i ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8997 (In TrustZone a time-of-check time-of-use race condition could potentia ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8996 (In TrustZone a time-of-check time-of-use race condition could potentia ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8995 (In TrustZone an integer overflow vulnerability can potentially occur i ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8994 (An issue was discovered in PHP 5.x and 7.x, when the configuration use ...) - php7.1 (Fixed before initial upload to Debian) - php7.0 7.0.14-1 - php5 [jessie] - php5 5.6.29+dfsg-0+deb8u1 [wheezy] - php5 (vulnerable code not present) NOTE: Fixed in 7.1.0, 7.0.14, 5.6.29 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=69090 CVE-2015-8993 (Malicious file execution vulnerability in Intel Security CloudAV (Beta ...) NOT-FOR-US: Intel antivirus CVE-2015-8992 (Malicious file execution vulnerability in Intel Security WebAdvisor be ...) NOT-FOR-US: Intel antivirus CVE-2015-8991 (Malicious file execution vulnerability in Intel Security McAfee Securi ...) NOT-FOR-US: Intel antivirus CVE-2015-8990 (Detection bypass vulnerability in Intel Security Advanced Threat Defen ...) NOT-FOR-US: Intel antivirus CVE-2015-8989 (Unsalted password vulnerability in the Enterprise Manager (web portal) ...) NOT-FOR-US: Intel antivirus CVE-2015-8988 (Unquoted executable path vulnerability in Client Management and Gatewa ...) NOT-FOR-US: Intel antivirus CVE-2015-8987 (Man-in-the-middle (MitM) attack vulnerability in non-Mac OS agents in ...) NOT-FOR-US: Intel antivirus CVE-2015-8986 (Sandbox detection evasion vulnerability in hardware appliances in McAf ...) NOT-FOR-US: Intel antivirus CVE-2015-8981 (Heap-based buffer overflow in the PdfParser::ReadXRefSubsection functi ...) {DLA-929-1} - libpodofo 0.9.4-1 (bug #854599) [jessie] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/mailman/message/34205419/ NOTE: https://sourceforge.net/p/podofo/code/1672 CVE-2015-8980 (The plural form formula in ngettext family of calls in php-gettext bef ...) - php-gettext 1.0.12-0.1 (bug #851770) [jessie] - php-gettext (Minor issue) [wheezy] - php-gettext (Minor issue) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: For phpmyadmin, unimportant, since embeds lib but does not use in exploitable way NOTE: http://seclists.org/fulldisclosure/2016/Aug/76 NOTE: Upstream patch: https://bazaar.launchpad.net/~danilo/php-gettext/trunk/revision/61 CVE-2015-8979 (Stack-based buffer overflow in the parsePresentationContext function i ...) {DSA-3749-1 DLA-755-1} - dcmtk 3.6.1~20160216-2 (bug #848830) NOTE: 3.6.1~20160216-2 is the first version in unstable containing the fix NOTE: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5384.php NOTE: Fixed by: https://github.com/commontk/DCMTK/commit/1b6bb76 NOTE: https://www.openwall.com/lists/oss-security/2016/12/17/2 CVE-2015-8978 (In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, ...) {DLA-723-1} - libsoap-lite-perl 1.19-1 [jessie] - libsoap-lite-perl (Minor issue) NOTE: https://github.com/redhotpenguin/soaplite/pull/21 NOTE: https://github.com/redhotpenguin/soaplite/commit/6942fe0d281be1c32c5117605f9c4e8d44f51124 CVE-2015-8977 (MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and My ...) NOT-FOR-US: MyBB CVE-2015-8976 (Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) ...) NOT-FOR-US: MyBB CVE-2015-8975 (Cross-site scripting (XSS) vulnerability in the error handler in MyBB ...) NOT-FOR-US: MyBB CVE-2015-8974 (SQL injection vulnerability in the Group Promotions module in the admi ...) NOT-FOR-US: MyBB CVE-2015-8973 (xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x befo ...) NOT-FOR-US: MyBB CVE-2015-8972 (Stack-based buffer overflow in the ValidateMove function in frontend/m ...) - gnuchess 6.2.4-1 (unimportant) NOTE: Built with hardening flags, no security impact NOTE: http://lists.gnu.org/archive/html/bug-gnu-chess/2015-10/msg00002.html NOTE: http://svn.savannah.gnu.org/viewvc?view=rev&root=chess&revision=134 CVE-2015-8971 (Terminology 0.7.0 allows remote attackers to execute arbitrary command ...) {DSA-3712-1} - terminology 0.7.0-2 (bug #843434) NOTE: https://git.enlightenment.org/apps/terminology.git/commit/?id=b80bedc7c21ecffe99d8d142930db696eebdd6a5 NOTE: https://www.openwall.com/lists/oss-security/2016/11/04/12 CVE-2015-8969 (git-fastclone before 1.0.5 passes user modifiable strings directly to ...) NOT-FOR-US: git-fastclone CVE-2015-8968 (git-fastclone before 1.0.1 permits arbitrary shell command execution f ...) NOT-FOR-US: git-fastclone CVE-2015-8970 (crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not veri ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux 3.2.78-1 NOTE: https://groups.google.com/forum/#!msg/syzkaller/frb2XrB5aWk/xCXzkIBcDAAJ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1386286 NOTE: Fixed by: https://git.kernel.org/linus/dd504589577d8e8e70f51f997ad487a4cb6c026f (v4.5-rc1) NOTE: Followed by a complete set of related upstrema commits. See kernel-sec NOTE: triage for details. NOTE: https://www.openwall.com/lists/oss-security/2016/11/03/6 CVE-2015-8967 (arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local us ...) - linux 4.0.2-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/c623b33b4e9599c6ac5076f7db7369eb9869aa04 (v4.0-rc1) NOTE: Missing security mitigation, not a vulnerability per se CVE-2015-8966 (arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 4.4 allow ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/76cc404bfdc0d419c720de4daaf2584542734f42 (v4.4-rc8) CVE-2015-8965 (Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows re ...) NOT-FOR-US: Rogue Wave JViews CVE-2015-8964 (The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the L ...) {DLA-772-1} - linux 4.5.1-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/dd42bf1197144ede075a9d4793123f7689e164bc (v4.5-rc1) CVE-2015-8963 (Race condition in kernel/events/core.c in the Linux kernel before 4.4 ...) {DLA-772-1} - linux 4.4.2-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/12ca6ad2e3a896256f086497a7c7406a547ee373 (v4.4) CVE-2015-8962 (Double free vulnerability in the sg_common_write function in drivers/s ...) {DLA-772-1} - linux 4.4.2-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/f3951a3709ff50990bf3e188c27d346792103432 (v4.4-rc1) CVE-2015-8961 (The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux k ...) - linux 4.3.3-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/6934da9238da947628be83635e365df41064b09b (v4.4-rc5) CVE-2015-8960 (The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_ ...) NOTE: Vulnerability "in the TLS documentation", not assigned to a specific source/implentation NOTE: https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf CVE-2015-8956 (The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Li ...) {DSA-3696-1 DLA-670-1} - linux 4.2.1-1 NOTE: Fixed by: https://git.kernel.org/linus/951b6a0717db97ce420547222647bcc40bf1eacd (4.2-rc1) CVE-2015-8955 (arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 ...) - linux 4.1.3-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code not present; arm64 introduced in 3.7) NOTE: Fixed by: https://git.kernel.org/linus/8fff105e13041e49b82f92eef034f363a6b1c071 (4.1-rc1) CVE-2015-8954 (The MemcmpLowercase function in Suricata before 2.0.6 improperly exclu ...) - suricata 2.0.6-1 (bug #777523) [wheezy] - suricata (Minor issue) [squeeze] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/1364 NOTE: https://github.com/OISF/suricata/commit/17dfd59bc31a21e103e2f1216443cd1418398aa9 CVE-2015-8953 (fs/overlayfs/copy_up.c in the Linux kernel before 4.2.6 uses an incorr ...) - linux 4.2.6-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/ab79efab0a0ba01a74df782eb7fa44b044dae8b5 (v4.3) CVE-2015-8952 (The mbcache feature in the ext2 and ext4 filesystem implementations in ...) - linux 4.6.1-1 (low) [jessie] - linux (Minor issue and too intrusive to backport, workaround exists with the no_mbcache mount flag) [wheezy] - linux (Minor issue and too intrusive to backport) NOTE: https://git.kernel.org/linus/f9a61eb4e2471c56a63cd804c7474128138c38ac (v4.6-rc1) NOTE: https://git.kernel.org/linus/82939d7999dfc1f1998c4b1c12e2f19edbdff272 (v4.6-rc1) NOTE: https://git.kernel.org/linus/be0726d33cb8f411945884664924bed3cb8c70ee (v4.6-rc1) CVE-2015-8951 (Multiple use-after-free vulnerabilities in sound/soc/msm/qdsp6v2/msm-l ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8950 (arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used ...) - linux 4.0.4-1 [jessie] - linux 3.16.7-ckt17-1 [wheezy] - linux (Vulnerable code not present; arm64 introduced in 3.7) NOTE: Fixed by: https://git.kernel.org/linus/6829e274a623187c24f7cfc0e3d35f25d087fcc5 (4.1-rc2) CVE-2015-8957 (Buffer overflow in ImageMagick before 6.9.0-4 Beta allows remote attac ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832464) NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26838 NOTE: https://github.com/ImageMagick/ImageMagick/commit/78f82d9d1c2944725a279acd573a22168dc6e22a NOTE: https://github.com/ImageMagick/ImageMagick/commit/bd96074b254c6607a0f7731e59f923ad19d5a46d NOTE: https://github.com/ImageMagick/ImageMagick/commit/450bd716ed3b9186dd10f9e60f630a3d9eeea2a4 NOTE: https://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2015-8958 (coders/sun.c in ImageMagick before 6.9.0-4 Beta allows remote attacker ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832465) NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26857 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b8f17d08b7418204bf8a05a5c24e87b2fc395b75 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1aa0c6dab6dcef4d9bc3571866ae1c1ddbec7d8f NOTE: https://github.com/ImageMagick/ImageMagick/commit/6b4aff0f117b978502ee5bcd6e753c17aec5a961 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8ea44b48a182dd46d018f4b4f09a5e2ee9638105 NOTE: https://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2015-8959 (coders/dds.c in ImageMagick before 6.9.0-4 Beta allows remote attacker ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832944) NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26861 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3ab016764c7f787829d9065440d86f5609765110 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9b428b7af688fe319320aed15f2b94281d1e37b4 NOTE: https://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2015-8949 (Use-after-free vulnerability in the my_login function in DBD::mysql be ...) {DSA-3635-1 DLA-576-1} - libdbd-mysql-perl 4.035-1 NOTE: https://github.com/perl5-dbi/DBD-mysql/pull/45 NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/cf0aa7751f6ef8445e9310a64b14dc81460ca156 CVE-2015-8948 (idn in GNU libidn before 1.33 might allow remote attackers to obtain s ...) {DSA-3658-1 DLA-582-1} - libidn 1.33-1 NOTE: Fix: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=570e68886c41c2e765e6218cb317d9a9a447a041 (libidn-1-33) NOTE: When fixing this issue, the followup fix http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=5e3cb9c7b5bf0ce665b9d68f5ddf095af5c9ba60 NOTE: is required to fix the problem. (Resultet in followup CVE, CVE-2016-6262 NOTE: if not applied completely). CVE-2015-8947 (hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote atta ...) {DLA-2040-1} - harfbuzz 1.2.6-1 NOTE: https://cgit.freedesktop.org/harfbuzz/commit/?id=f96664974774bfeb237a7274f512f64aaafb201e (1.0.5) CVE-2015-8946 (ecryptfs-setup-swap in eCryptfs before 111 does not prevent the unencr ...) - ecryptfs-utils 111-1 [jessie] - ecryptfs-utils (Minor issue) [wheezy] - ecryptfs-utils (Only happens if using systemd v207 onward) NOTE: https://launchpad.net/bugs/1447282 NOTE: Fixed by: https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/857 NOTE: https://www.openwall.com/lists/oss-security/2016/07/13/2 CVE-2015-8945 (openshift-node in OpenShift Origin 1.1.6 and earlier improperly stores ...) NOT-FOR-US: OpenShift CVE-2015-8944 (The ioresources_init function in kernel/resource.c in the Linux kernel ...) - linux (Android-specific patch, /proc/iomem is root-restricted already) CVE-2015-8943 (drivers/video/msm/mdss/mdss_mdp_util.c in the Qualcomm components in A ...) - linux (Android-specific patch) CVE-2015-8942 (drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c in the Qualco ...) - linux (Android-specific patch) CVE-2015-8941 (drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c in the Qua ...) - linux (Android-specific patch) CVE-2015-8940 (Integer overflow in sound/soc/msm/qdsp6v2/q6lsm.c in the Qualcomm comp ...) - linux (Android-specific patch) CVE-2015-8939 (drivers/video/msm/mdp4_util.c in the Qualcomm components in Android be ...) - linux (Android-specific patch) CVE-2015-8938 (The MSM camera driver in the Qualcomm components in Android before 201 ...) - linux (Android-specific patch) CVE-2015-8937 (drivers/char/diag/diagchar_core.c in the Qualcomm components in Androi ...) - linux (Android-specific patch) CVE-2015-8936 (Cross-site scripting (XSS) vulnerability in squidGuard.cgi in squidGua ...) {DLA-524-1} - squidguard 1.5-5 (unimportant) NOTE: Only affects an example script NOTE: Fix applied: 16_XSS-security-bugfix.patch in 1.5-5 NOTE: https://www.openwall.com/lists/oss-security/2016/06/20/2 CVE-2015-8935 (The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x ...) - php5 5.6.6+dfsg-1 [wheezy] - php5 5.4.38-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=68978 NOTE: https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b NOTE: Fixed in 5.6.6, 5.5.22 and 5.4.38 CVE-2015-8934 (The copy_from_lzss_window function in archive_read_support_format_rar. ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.1-1 NOTE: https://github.com/libarchive/libarchive/issues/521 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/603454ec03040c29bd051fcc749e3c1433c11a8e (v3.2.1) CVE-2015-8933 (Integer overflow in the archive_read_format_tar_skip function in archi ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/548 NOTE: https://github.com/libarchive/libarchive/issues/582 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/3c7a6dc6694d9b26400d2bd672e04d09ed8a4276 (v3.1.900a) CVE-2015-8932 (The compress_bidder_init function in archive_read_support_filter_compr ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/547 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/f0b1dbbc325a2d922015eee402b72edd422cb9ea (v3.1.900a) NOTE: and part of https://github.com/libarchive/libarchive/commit/55ce98e829eda3a4356c2be64a778d8740c2cf6c (v3.1.900a) NOTE: and https://github.com/libarchive/libarchive/commit/618618c8a6be453f79e0bdbdeab6e1dd8bf429b3 (v3.1.900a) NOTE: Part of the problematic code was introduced with commit bf4f6ec64ef3edefbc41172692868fb8df514805 NOTE: to fix https://github.com/libarchive/libarchive/issues/356 CVE-2015-8931 (Multiple integer overflows in the (1) get_time_t_max and (2) get_time_ ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/539 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/b31744df71084a8734f97199e42418f55d08c6c5 (v3.1.900a) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/c0c52e9aaafb0860c4151c5374372051e9354301 (v3.1.900a) CVE-2015-8930 (bsdtar in libarchive before 3.2.0 allows remote attackers to cause a d ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/522 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/39fc59391b7cf2a007bffce280c1e3e66674258f (v3.1.900a) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/01cfbca4fdae1492a8a09c001b61bbca46f869f2 (v3.1.900a) CVE-2015-8929 (Memory leak in the __archive_read_get_extract function in archive_read ...) - libarchive 3.2.0-2 [jessie] - libarchive (Introduced in 3.2.0) [wheezy] - libarchive (Introduced in 3.2.0) NOTE: https://github.com/libarchive/libarchive/issues/517 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/d24e79e8f9547ae475a3a0c9516e079a14010838 CVE-2015-8928 (The process_add_entry function in archive_read_support_format_mtree.c ...) {DSA-3657-1} - libarchive 3.2.0-2 [wheezy] - libarchive (vulnerable code not present) NOTE: https://github.com/libarchive/libarchive/issues/550 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/64d5628 CVE-2015-8927 (The trad_enc_decrypt_update function in archive_read_support_format_zi ...) - libarchive 3.2.0-2 [jessie] - libarchive (vulnerable code not present) [wheezy] - libarchive (vulnerable code not present) NOTE: https://github.com/libarchive/libarchive/issues/523 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/eff35d4 CVE-2015-8926 (The archive_read_format_rar_read_data function in archive_read_support ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/518 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/aab73938 CVE-2015-8925 (The readline function in archive_read_support_format_mtree.c in libarc ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/516 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/1e18cbb71 CVE-2015-8924 (The archive_read_format_tar_read_header function in archive_read_suppo ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/515 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/bb9b157 CVE-2015-8923 (The process_extra function in libarchive before 3.2.0 uses the size fi ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/514 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/9e0689c CVE-2015-8922 (The read_CodersInfo function in archive_read_support_format_7zip.c in ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/513 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/d094dc CVE-2015-8921 (The ae_strtofflags function in archive_entry.c in libarchive before 3. ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/512 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/1cbc76f NOTE: Fixed by https://github.com/libarchive/libarchive/commit/05a875fdb876e7a2f56a2937f756927cbed919e0 CVE-2015-8920 (The _ar_read_header function in archive_read_support_format_ar.c in li ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/511 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/97f964e CVE-2015-8919 (The lha_read_file_extended_header function in archive_read_support_for ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/510 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/e8a2e4d CVE-2015-8918 (The archive_string_append function in archive_string.c in libarchive b ...) - libarchive (Vulnerable code not in a released version) NOTE: Introduced in https://github.com/libarchive/libarchive/commit/cf8e67ffc8a2227b63fc6d3d1569b0214f160f54 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/b6ba56037f0da44efebfa271cc4b1a736a74c62f NOTE: https://github.com/libarchive/libarchive/issues/506 CVE-2015-8917 (bsdtar in libarchive before 3.2.0 allows remote attackers to cause a d ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/505 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/b2e2abb CVE-2015-8916 (bsdtar in libarchive before 3.2.0 returns a success code without filli ...) {DSA-3657-1} - libarchive 3.2.0-2 [wheezy] - libarchive (no segfault, not reproducible with reproducer) NOTE: https://github.com/libarchive/libarchive/issues/504 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/b2e2abb CVE-2015-8915 (bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a ...) {DLA-1600-1 DLA-617-1} - libarchive 3.2.0-2 (low; bug #784213) [squeeze] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/503 NOTE: https://github.com/libarchive/libarchive/issues/502 NOTE: 502 is a duplicate of https://github.com/libarchive/libarchive/issues/503 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/e6c9668f3202215ddb71617b41c19b6f05acf008 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/3865cf2bcb0eebc1baef28a7841b1cadae6e0f7c CVE-2015-8914 (The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 thro ...) - neutron 2:8.1.2-1 [jessie] - neutron (Minor issue) NOTE: https://bugs.launchpad.net/bugs/1502933 CVE-2015-8913 REJECTED CVE-2015-8912 REJECTED CVE-2015-8911 REJECTED CVE-2015-8910 REJECTED CVE-2015-8909 REJECTED CVE-2015-8908 REJECTED CVE-2015-8907 REJECTED CVE-2015-8906 REJECTED CVE-2015-8905 REJECTED CVE-2015-8904 REJECTED CVE-2015-1000013 (Remote file upload vulnerability in wordpress plugin csv2wpec-coupon v ...) NOT-FOR-US: WordPress plugin csv2wpec-coupon CVE-2015-1000012 (Local File Inclusion Vulnerability in mypixs v0.3 wordpress plugin ...) NOT-FOR-US: WordPress plugin mypixs CVE-2015-1000011 (Blind SQL Injection in wordpress plugin dukapress v2.5.9 ...) NOT-FOR-US: WordPress plugin dukapress CVE-2015-1000010 (Remote file download in simple-image-manipulator v1.0 wordpress plugin ...) NOT-FOR-US: WordPress plugin simple-image-manipulator CVE-2015-1000009 (Open proxy in Wordpress plugin google-adsense-and-hotel-booking v1.05 ...) NOT-FOR-US: WordPress plugin google-adsense-and-hotel-booking CVE-2015-1000008 (Path Disclosure Vulnerability in wordpress plugin MP3-jPlayer v2.3.2 ...) NOT-FOR-US: WordPress plugin MP3-jPlayer CVE-2015-1000007 (Remote file download vulnerability in wptf-image-gallery v1.03 ...) NOT-FOR-US: WordPress plugin wptf-image-gallery CVE-2015-1000006 (Remote file download vulnerability in recent-backups v0.7 wordpress pl ...) NOT-FOR-US: WordPress plugin recent-backups CVE-2015-1000005 (Remote file download vulnerability in candidate-application-form v1.0 ...) NOT-FOR-US: WordPress plugin candidate-application-form CVE-2015-1000004 (XSS in filedownload v1.4 wordpress plugin ...) NOT-FOR-US: WordPress plugin filedownload CVE-2015-1000003 (Blind SQL Injection in filedownload v1.4 wordpress plugin ...) NOT-FOR-US: WordPress plugin filedownload CVE-2015-1000002 (Open Proxy in filedownload v1.4 wordpress plugin ...) NOT-FOR-US: WordPress plugin filedownload CVE-2015-1000001 (Remote file upload vulnerability in fast-image-adder v1.1 Wordpress pl ...) NOT-FOR-US: WordPress plugin fast-image-adder CVE-2015-1000000 (Remote file upload vulnerability in mailcwp v1.99 wordpress plugin ...) NOT-FOR-US: WordPress plugin mailcwp CVE-2015-8899 (Dnsmasq before 2.76 allows remote servers to cause a denial of service ...) - dnsmasq 2.76-1 [jessie] - dnsmasq (Vulnerable code introduced later) [wheezy] - dnsmasq (Vulnerable code introduced later) NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html NOTE: Fixed by: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87 (v2.76rc1) NOTE: Introduced by: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=cbc652423403e3cef00e00240f6beef713142246 (v2.73rc1) NOTE: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1581181 CVE-2015-8898 (The WriteImages function in magick/constitute.c in ImageMagick before ...) - imagemagick 8:6.8.9.9-7 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: https://github.com/ImageMagick/ImageMagick/pull/34 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5b4bebaa91849c592a8448bc353ab25a54ff8c44 CVE-2015-8897 (The SpliceImage function in MagickCore/transform.c in ImageMagick befo ...) - imagemagick 8:6.8.9.9-7 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7b1cf5784b5bcd85aa9293ecf56769f68c037231 CVE-2015-8896 (Integer truncation issue in coders/pict.c in ImageMagick before 7.0.5- ...) {DLA-353-1} - imagemagick 8:6.8.9.9-7 (bug #806441) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 NOTE: https://www.openwall.com/lists/oss-security/2015/10/07/2 NOTE: https://www.openwall.com/lists/oss-security/2016/02/22/4 CVE-2015-8895 (Integer overflow in coders/icon.c in ImageMagick 6.9.1-3 and later all ...) {DLA-353-1} - imagemagick 8:6.8.9.9-7 (bug #806441) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 NOTE: https://www.openwall.com/lists/oss-security/2015/10/07/2 NOTE: https://www.openwall.com/lists/oss-security/2016/02/22/4 NOTE: The issue is only exploitable on 32 bit architectures. CVE-2015-8894 (Double free vulnerability in coders/tga.c in ImageMagick 7.0.0 and lat ...) - imagemagick 8:6.8.9.9-6 (bug #806442; bug #799524) [jessie] - imagemagick (Can't reproduce crash with file) [wheezy] - imagemagick (Can't reproduce crash with file) [squeeze] - imagemagick (Can't reproduce crash with file) NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4f68e9661518463fca523c9726bb5d940a2aa6d8 NOTE: https://www.openwall.com/lists/oss-security/2015/10/07/2 NOTE: https://www.openwall.com/lists/oss-security/2016/02/22/4 NOTE: The problem can only be triggered with recent versions of ImageMagick (8:6.9.1.2-1 in experimental is vulnerable, 8:6.8.9.9-6 in sid is not vulnerable, older versions are not vulnerable) CVE-2015-8893 (app/aboot/aboot.c in the Qualcomm bootloader in Android before 2016-07 ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8892 (platform/msm_shared/boot_verifier.c in the Qualcomm components in Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8891 (Multiple integer overflows in app/aboot/aboot.c in the Qualcomm compon ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8890 (platform/msm_shared/partition_parser.c in the Qualcomm components in A ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8889 (The aboot implementation in the Qualcomm components in Android before ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8888 (Integer overflow in app/aboot/aboot.c in the Qualcomm components in An ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8887 RESERVED CVE-2015-8886 RESERVED CVE-2015-8885 RESERVED CVE-2015-8884 RESERVED CVE-2015-8883 RESERVED CVE-2015-8882 RESERVED CVE-2015-8881 RESERVED CVE-2015-8880 (Double free vulnerability in the format printer in PHP 7.x before 7.0. ...) - php7.0 7.0.1-1 CVE-2015-8879 (The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 ...) {DLA-499-1} - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 - php7.0 7.0.0-1 NOTE: Fixed in PHP 5.6.12, 7.0.0 NOTE: PHP bug: https://bugs.php.net/bug.php?id=69975 CVE-2015-8878 (main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5 ...) {DLA-499-1} - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 NOTE: Fixed in PHP 5.6.12, 5.5.28 NOTE: PHP bug: https://bugs.php.net/bug.php?id=70002 CVE-2015-8877 (The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graph ...) {DSA-3587-1} - libgd2 2.2.1-1 [wheezy] - libgd2 (Vulnerable code not present) NOTE: https://github.com/libgd/libgd/commit/4751b606fa38edc456d627140898a7ec679fcc24 (gd-2.2.0) NOTE: https://github.com/libgd/libgd/issues/173 - php5 5.6.12+dfsg-1 (unimportant) [jessie] - php5 5.6.12+dfsg-0+deb8u1 - php7.0 7.0.0-1 (unimportant) NOTE: PHP bug: https://bugs.php.net/bug.php?id=70064 NOTE: Fixed in PHP 5.6.12, 7.0.0 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd CVE-2015-8876 (Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and ...) - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 - php7.0 7.0.0-1 NOTE: Fixed in PHP 7.0.0, 5.6.12, 5.5.28, 5.4.44 NOTE: PHP bug: https://bugs.php.net/bug.php?id=70121 CVE-2015-8874 (Stack consumption vulnerability in GD in PHP before 5.6.12 allows remo ...) {DSA-3587-1 DLA-482-1} - libgd2 2.2.1-1 (bug #824627) NOTE: https://github.com/libgd/libgd/commit/38241013cc048af7c03daf6e9a75b4f42bffb200 - php5 5.6.12+dfsg-1 (unimportant) [jessie] - php5 5.6.12+dfsg-0+deb8u1 - php7.0 7.0.0-1 (unimportant) NOTE: PHP bug: https://bugs.php.net/bug.php?id=66387 NOTE: Fixed in 5.6.12, 7.0.0 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd CVE-2015-8873 (Stack consumption vulnerability in Zend/zend_exceptions.c in PHP befor ...) - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 NOTE: Fixed in 5.6.12, 5.5.28, 5.4.44 NOTE: PHP bug: https://bugs.php.net/bug.php?id=69793 CVE-2015-8872 (The set_fat function in fat.c in dosfstools before 4.0 might allow att ...) {DLA-2224-1 DLA-474-1} - dosfstools 4.0-1 NOTE: https://github.com/dosfstools/dosfstools/issues/12 NOTE: https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7 CVE-2015-8870 (Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows re ...) - tiff 4.0.3-12 [wheezy] - tiff 4.0.2-6+deb7u4 NOTE: Fixed already with the patch applied in 4.0.3-12 in unstable for the NOTE: CVE-2014-9330 issue. - tiff3 (libtiff-tools not shipped in tiff3) CVE-2015-8869 (OCaml before 4.03.0 does not properly handle sign extensions, which al ...) {DLA-466-1} - ocaml 4.02.3-9 (bug #824139) [jessie] - ocaml (Minor issue; can be fixed via point release and sheduling binNMUs there) NOTE: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 NOTE: https://www.openwall.com/lists/oss-security/2016/04/29/1 NOTE: Ocaml applications using the patched functions need to be recompiled with the NOTE: fixed ocaml version. CVE-2015-8864 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1 ...) {DLA-537-1} - roundcube 1.1.5+dfsg.1-1 (bug #822333) NOTE: https://github.com/roundcube/roundcubemail/issues/4949 NOTE: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 NOTE: https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18 NOTE: https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0 (release-1.1) NOTE: https://www.openwall.com/lists/oss-security/2016/04/23/3 NOTE: https://lists.debian.org/debian-lts/2016/06/msg00159.html CVE-2015-8862 (mustache package before 2.2.1 for Node.js allows remote attackers to c ...) - mustache.js (unimportant) NOTE: node-handlebars only in experimental for now, fixed in 4.0.0 NOTE: libv8 is not covered by security support CVE-2015-8861 (The handlebars package before 4.0.0 for Node.js allows remote attacker ...) - mustache.js (unimportant) NOTE: node-handlebars only in experimental for now, fixed in 4.0.0 NOTE: libv8 is not covered by security support CVE-2015-8860 (The tar package before 2.0.0 for Node.js allows remote attackers to wr ...) - node-tar 2.2.1-1 (unimportant) NOTE: libv8 is not covered by security support CVE-2015-8859 (The send package before 0.11.1 for Node.js allows attackers to obtain ...) - node-send 0.16.2-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/56 CVE-2015-8858 (The uglify-js package before 2.6.0 for Node.js allows attackers to cau ...) - uglifyjs 2.7.4-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/48 CVE-2015-8854 (The marked package before 0.3.4 for Node.js allows attackers to cause ...) - node-marked 0.3.6+dfsg-1 (unimportant) NOTE: https://nodesecurity.io/advisories/marked_redos NOTE: https://github.com/chjj/marked/issues/497 NOTE: libv8 is not covered by security support CVE-2015-8866 (ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when ...) {DLA-499-1} - php5 5.6.6+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=64938 NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817 NOTE: http://framework.zend.com/security/advisory/ZF2015-06 -> Relation to CVE-2015-5161 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9 NOTE: Fixed in 5.6.6, 5.5.22 NOTE: https://www.openwall.com/lists/oss-security/2016/04/21/8 CVE-2015-8867 (The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in P ...) - php7.0 7.0.0-1 - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=70014 NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827 NOTE: Fixed in 7.0.0, 5.6.12, 5.5.28, 5.5.44 NOTE: https://www.openwall.com/lists/oss-security/2016/04/21/8 CVE-2015-8853 (The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in ...) - perl 5.22.1-1 (bug #821848) [jessie] - perl 5.20.2-3+deb8u5 [wheezy] - perl (Minor issue) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=123562 NOTE: http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5 NOTE: https://www.openwall.com/lists/oss-security/2016/04/20/5 CVE-2015-8863 (Off-by-one error in the tokenadd function in jv_parse.c in jq allows r ...) - jq 1.5+dfsg-1.1 (low; bug #802231) [jessie] - jq 1.4-2.1+deb8u1 NOTE: https://github.com/stedolan/jq/issues/995 NOTE: https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd NOTE: https://www.openwall.com/lists/oss-security/2016/04/23/1 CVE-2015-8850 RESERVED CVE-2015-8849 RESERVED CVE-2015-8848 RESERVED CVE-2015-8847 RESERVED CVE-2015-8846 RESERVED CVE-2015-8843 (The Foxit Cloud Update Service (FoxitCloudUpdateService) in Foxit Read ...) NOT-FOR-US: Foxit Reader CVE-2015-8851 (node-uuid before 1.4.4 uses insufficiently random data to create a GUI ...) - node-uuid 1.4.7-1 (unimportant) NOTE: https://github.com/broofa/node-uuid/issues/108 NOTE: https://github.com/broofa/node-uuid/issues/118 NOTE: https://github.com/broofa/node-uuid/issues/122 NOTE: https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d NOTE: nodejs not covered by security support CVE-2015-8844 (The signal implementation in the Linux kernel before 4.3.5 on powerpc ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1326540 NOTE: Upstream commit: https://git.kernel.org/linus/d2b9d2a5ad5ef04ff978c9923d19730cb05efd55 (v4.4-rc3) NOTE: Introduced by: https://git.kernel.org/linus/2b0a576d15e0e14751f00f9c87e46bad27f217e7 (v3.9-rc1) CVE-2015-8845 (The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1326540 NOTE: Upstream commit: https://git.kernel.org/linus/7f821fc9c77a9b01fe7b1d6e72717b33d8d64142 (v4.4-rc3) NOTE: Introduced by: https://git.kernel.org/linus/fb09692e71f13af7298eb603a1975850b1c7a8d8 (v3.9-rc1) CVE-2015-8868 (Heap-based buffer overflow in the ExponentialFunction::ExponentialFunc ...) {DSA-3563-1 DLA-446-1} - poppler 0.38.0-3 (bug #822578) NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=93476 NOTE: https://www.openwall.com/lists/oss-security/2016/04/12/1 CVE-2015-8841 (Heap-based buffer overflow in the Archive support module in ESET NOD32 ...) NOT-FOR-US: ESET NOD32 CVE-2015-8840 (The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does ...) NOT-FOR-US: SAP CVE-2015-8842 (tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions fo ...) - systemd 215-1 (bug #825059) [wheezy] - systemd (Vulnerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=972612 NOTE: Introduced by: https://github.com/systemd/systemd/commit/a606871da508995f5ede113a8fc6538afd98966c (v213) NOTE: Fixed by (for current persistent journal): https://github.com/systemd/systemd/commit/afae249efa4774c6676738ac5de6aeb4daf4889f (v229) NOTE: Starting with 215 Debian no longer ships tmpfiles.d/systemd.conf, so the fixup upstream added as NOTE: afae249efa4774c6676738ac5de6aeb4daf4889f for persistent journals is not needed for the packaged NOTE: version. Anyone using a custom config needs to ensure proper permissions. CVE-2015-8865 (The file_check_mem function in funcs.c in file before 5.23, as used in ...) {DSA-3560-1 DLA-499-1 DLA-460-1} - php7.0 7.0.5-1 - php5 5.6.20+dfsg-1 - file 1:5.24-1 (bug #827377) [jessie] - file 1:5.22+15-2+deb8u2 - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: http://bugs.gw.com/view.php?id=522 NOTE: https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36 NOTE: https://bugs.php.net/bug.php?id=71527 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e NOTE: PHP fixed in 7.0.5, 5.6.20, 5.5.34 NOTE: https://www.openwall.com/lists/oss-security/2016/04/11/7 NOTE: Fix in HHVM: https://github.com/facebook/hhvm/commit/4e614ba041e24af8351afbb49c92444c0850f23b CVE-2015-8839 (Multiple race conditions in the ext4 filesystem implementation in the ...) {DLA-2241-1} - linux 4.5.1-1 [wheezy] - linux (Too much work to backport) NOTE: https://git.kernel.org/linus/ea3d7209ca01da209cda6f0dea8be9cc4b7a933b (v4.5-rc1) NOTE: https://git.kernel.org/linus/17048e8a083fec7ad841d88ef0812707fbc7e39f (v4.5-rc1) NOTE: https://git.kernel.org/linus/32ebffd3bbb4162da5ff88f9a35dd32d0a28ea70 (v4.5-rc1) NOTE: https://git.kernel.org/linus/011278485ecc3cd2a3954b5d4c73101d919bf1fa (v4.5-rc1) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=972174 CVE-2015-8838 (ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5 ...) - php5 5.6.11+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 NOTE: Fixed in 5.6.11, 5.5.27, 5.4.43 NOTE: https://bugs.php.net/bug.php?id=69669 CVE-2015-8834 (Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in W ...) {DSA-3639-1 DLA-633-1} - wordpress 4.2.2+dfsg-1 NOTE: https://wordpress.org/news/2015/05/wordpress-4-2-2/ NOTE: Follow-up patch from 4.2.1 -> 4.2.2 for wp-includes/wp-db.php seems not applied NOTE: This looks like a required patch: https://github.com/WordPress/WordPress/commit/a3a76fe665dfb62508a66542390a93445f1f7a59 NOTE: Changes in wp-includes/wp-db.php: https://github.com/WordPress/WordPress/commit/db8f915ee6c236ee2f39e76781bf42367e3f1490 NOTE: https://core.trac.wordpress.org/changeset/32387/ NOTE: Wheezy: https://core.trac.wordpress.org/changeset/32391 NOTE: Wheezy: https://core.trac.wordpress.org/changeset/32395 NOTE: Wheezy: https://core.trac.wordpress.org/changeset/32423 NOTE: Wheezy: https://core.trac.wordpress.org/changeset/32435 CVE-2015-8835 (The make_http_soap_request function in ext/soap/php_http.c in PHP befo ...) - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=c96d08b27226193dd51f2b50e84272235c6aaa69 NOTE: https://bugs.php.net/bug.php?id=70081 NOTE: Fixed in 5.6.12, 5.5.28, 5.4.44 NOTE: CVE assignment is for "The first problem" section of Bug 70081 CVE-2015-8833 (Use-after-free vulnerability in the create_smp_dialog function in gtk- ...) {DSA-3528-1} - pidgin-otr 4.0.2-1 [wheezy] - pidgin-otr (Vulnerable code not present) NOTE: https://blog.fuzzing-project.org/39-Heap-use-after-free-in-Pidgin-OTR-plugin.html NOTE: https://bugs.otr.im/issues/88 NOTE: https://bugs.otr.im/issues/128 NOTE: Fixed by: https://bugs.otr.im/projects/pidgin-otr/repository/revisions/aaf551b9dd5cbba8c4abaa3d4dc7ead860efef94 NOTE: Introduced by: https://bugs.otr.im/projects/pidgin-otr/repository/revisions/c276bfa786bef8a4572a37d5633cf40f480d3ae0 NOTE: https://www.openwall.com/lists/oss-security/2016/03/09/8 CVE-2015-8832 (Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.cor ...) - dotclear (bug #815979) NOTE: https://hg.dotclear.org/dotclear/rev/198580bc3d80 NOTE: https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2 NOTE: Fixed upstream in 2.8.2 NOTE: https://www.openwall.com/lists/oss-security/2016/03/05/4 CVE-2015-8831 (Cross-site scripting (XSS) vulnerability in admin/comments.php in Dotc ...) - dotclear (bug #815979) NOTE: https://hg.dotclear.org/dotclear/rev/65e65154dadf NOTE: https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2 NOTE: Fixed upstream in 2.8.2 NOTE: https://www.openwall.com/lists/oss-security/2016/03/05/4 CVE-2015-8829 REJECTED CVE-2015-8828 REJECTED CVE-2015-8827 REJECTED CVE-2015-8826 REJECTED CVE-2015-8825 REJECTED CVE-2015-8824 REJECTED CVE-2015-8823 (Use-after-free vulnerability in the TextField object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8822 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8821 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8820 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8819 RESERVED CVE-2015-8818 (The cpu_physical_memory_write_rom_internal function in exec.c in QEMU ...) - qemu 1:2.4+dfsg-1a [jessie] - qemu (Problematic memory clamping code got added later with upstream commit 965eb2f) [wheezy] - qemu (Affects Qemu versions >= 1.6.0 and <= 2.3.1) [squeeze] - qemu (Affects Qemu versions >= 1.6.0 and <= 2.3.1) - qemu-kvm (Affects Qemu versions >= 1.6.0 and <= 2.3.1) NOTE: https://www.openwall.com/lists/oss-security/2016/03/01/10 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=b242e0e0e2969c044a318e56f7988bbd84de1f63 (v2.4.0-rc0) NOTE: same patchset than CVE-2015-8817 NOTE: https://lists.gnu.org/archive/html/qemu-stable/2016-01/msg00065.html CVE-2015-8817 (QEMU (aka Quick Emulator) built to use 'address_space_translate' to ma ...) - qemu 1:2.4+dfsg-1a [jessie] - qemu (Minor issue; too dangerous backport) [wheezy] - qemu (Affects Qemu versions >= 1.6.0 and <= 2.3.1) [squeeze] - qemu (Affects Qemu versions >= 1.6.0 and <= 2.3.1) - qemu-kvm (Affects Qemu versions >= 1.6.0 and <= 2.3.1) NOTE: https://www.openwall.com/lists/oss-security/2016/03/01/10 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=c3c1bb99d1c11978d9ce94d1bdcf0705378c1459 (v2.3.0-rc1) NOTE: https://lists.gnu.org/archive/html/qemu-stable/2016-01/msg00060.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=23820dbfc79d1c9dce090b4c555994f2bb6a69b3 (v2.4.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-stable/2016-01/msg00065.html CVE-2015-8852 (Varnish 3.x before 3.0.7, when used in certain stacked installations, ...) {DSA-3553-1} - varnish 4.0.0-1 (bug #783510) NOTE: https://www.openwall.com/lists/oss-security/2016/04/16/1 NOTE: fixed in 3.0.7 upstream, mark as fixed with first 4.x version in unstable NOTE: 4.x not affected CVE-2015-8857 (The uglify-js package before 2.4.24 for Node.js does not properly acco ...) - uglifyjs (unimportant) NOTE: fixed in 2.4.24 NOTE: https://zyan.scripts.mit.edu/blog/backdooring-js/ NOTE: https://github.com/mishoo/UglifyJS2/issues/751 NOTE: https://nodesecurity.io/advisories/39 NOTE: nodejs not covered by security support CVE-2015-XXXX [root path disclosure] - node-send 0.16.2-1 (unimportant) NOTE: fixed in 0.11.1 NOTE: https://github.com/pillarjs/send/pull/70 NOTE: https://github.com/expressjs/serve-static/blob/master/HISTORY.md#181--2015-01-20 NOTE: https://nodesecurity.io/advisories/56 NOTE: nodejs not covered by security support CVE-2015-XXXX [handlebars: quoteless attributes in templates can lead to content injection] - libjs-handlebars (unimportant) - ruby-handlebars-assets (unimportant) NOTE: fixed in 4.0.0 NOTE: https://blog.srcclr.com/handlebars_vulnerability_research_findings/ NOTE: https://github.com/wycats/handlebars.js/pull/1083 NOTE: https://nodesecurity.io/advisories/61 NOTE: Security hardening, not a vulnerability CVE-2015-XXXX [quoteless attributes in templates can lead to content injection] - mustache.js (unimportant) NOTE: fixed in 2.2.1 NOTE: https://github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5 NOTE: https://nodesecurity.io/advisories/62 NOTE: Security hardening, not a vulnerability CVE-2015-9244 (Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not ...) - node-mysql 2.0.0~alpha8-1 (unimportant) NOTE: https://github.com/felixge/node-mysql/issues/342 NOTE: https://nodesecurity.io/advisories/66 NOTE: nodejs not covered by security support CVE-2015-8830 (Integer overflow in the aio_setup_single_vector function in fs/aio.c i ...) - linux 4.1.3-1 [jessie] - linux 3.16.7-ckt20-1+deb8u4 [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/4c185ce06dca14f5cea192f5a2c981ef50663f2b (v4.1-rc1) CVE-2015-8816 (The hub_activate function in drivers/usb/core/hub.c in the Linux kerne ...) {DSA-3503-1} - linux 4.4.2-1 - linux-2.6 NOTE: Fixed by: https://git.kernel.org/linus/e50293ef9775c5f1cf3fcc093037dd6a8c5684ea (v4.4-rc6) CVE-2015-8815 (Multiple cross-site scripting (XSS) vulnerabilities in Umbraco before ...) NOT-FOR-US: Umbraco CVE-2015-8814 (Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery se ...) NOT-FOR-US: Umbraco CVE-2015-8813 (The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/das ...) NOT-FOR-US: Umbraco CVE-2015-8812 (drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 d ...) {DSA-3503-1 DLA-439-1} - linux 4.4.2-1 - linux-2.6 NOTE: https://www.openwall.com/lists/oss-security/2016/02/11/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1303532 NOTE: Fixed by: https://git.kernel.org/linus/67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 (v4.5-rc1) NOTE: Introduced by: https://git.kernel.org/linus/04b5d028f50ff05a8f9ae049ee71f8fdfcf1f5de (v2.6.30-rc2) CVE-2015-8811 RESERVED CVE-2015-8810 RESERVED CVE-2015-8809 RESERVED CVE-2015-8808 (The DecodeImage function in coders/gif.c in GraphicsMagick 1.3.18 allo ...) {DSA-3746-1 DLA-484-1} - graphicsmagick 1.3.21-2 NOTE: https://www.openwall.com/lists/oss-security/2016/02/06/1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=8e8fa353f53 CVE-2015-8802 REJECTED CVE-2015-8801 (Race condition in the client in Symantec Endpoint Protection (SEP) 12. ...) NOT-FOR-US: Symantec CVE-2015-8800 (Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x ...) NOT-FOR-US: Symantec CVE-2015-8799 (Directory traversal vulnerability in the Management Server in Symantec ...) NOT-FOR-US: Symantec CVE-2015-8798 (Directory traversal vulnerability in the Management Server in Symantec ...) NOT-FOR-US: Symantec CVE-2015-8807 (Cross-site scripting (XSS) vulnerability in the _renderVarInput_number ...) {DSA-3496-1} - php-horde-core 2.22.4+debian0-1 (bug #813590) NOTE: https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253 NOTE: https://www.openwall.com/lists/oss-security/2016/02/06/4 CVE-2015-8806 (dict.c in libxml2 allows remote attackers to cause a denial of service ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 (bug #813613) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=749115 NOTE: Same fix as CVE-2016-1839 seems to resolve the issue CVE-2015-8805 (The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not p ...) - nettle 3.2-1 (bug #813679) [jessie] - nettle 2.7.1-5+deb8u1 [wheezy] - nettle (Vulnerable code not present) [squeeze] - nettle (Vulnerable code not present) NOTE: https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d CVE-2015-8804 (x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle ...) - nettle 3.2-1 (bug #813679) [jessie] - nettle 2.7.1-5+deb8u1 [wheezy] - nettle (Vulnerable code not present) [squeeze] - nettle (Vulnerable code not present) NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003024.html NOTE: https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7 CVE-2015-8803 (The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not p ...) - nettle 3.2-1 (bug #813679) [jessie] - nettle 2.7.1-5+deb8u1 [wheezy] - nettle (Vulnerable code not present) [squeeze] - nettle (Vulnerable code not present) NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html NOTE: https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d CVE-2015-8797 (Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plug ...) - lucene-solr (Vulnerable code not present) NOTE: https://issues.apache.org/jira/browse/SOLR-7949 CVE-2015-8796 (Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/sche ...) - lucene-solr (Vulnerable code not present) NOTE: https://issues.apache.org/jira/browse/SOLR-7920 CVE-2015-8795 (Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in ...) - lucene-solr (Vulnerable code not present) NOTE: https://issues.apache.org/jira/browse/SOLR-7346 CVE-2015-8794 (Absolute path traversal vulnerability in program/steps/addressbook/pho ...) - roundcube 1.1.2+dfsg.1-1 [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: http://www.scip.ch/en/?vuldb.80732 NOTE: http://web.archive.org/web/20160329044745/http://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released NOTE: http://trac.roundcube.net/ticket/1490379 CVE-2015-8793 (Cross-site scripting (XSS) vulnerability in program/include/rcmail.php ...) - roundcube 1.1.2+dfsg.1-1 [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: http://web.archive.org/web/20160329044745/http://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released NOTE: http://www.scip.ch/en/?vuldb.80731 NOTE: http://trac.roundcube.net/ticket/1490417 - mentions 1.0 not vulnerable, verified code not present in squeeze NOTE: http://web.archive.org/web/20150627125240/http://trac.roundcube.net:80/changeset/b782815dac/github CVE-2015-8791 (The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 a ...) {DSA-3538-1 DLA-438-1} - libebml 1.3.3-1 NOTE: https://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html NOTE: https://github.com/Matroska-Org/libebml/commit/24e5cd7c666b1ddd85619d60486db0a5481c1b90 CVE-2015-8790 (The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3 ...) {DSA-3538-1 DLA-438-1} - libebml 1.3.3-1 NOTE: https://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html NOTE: https://github.com/Matroska-Org/libebml/commit/ababb64e0c792ad2a314245233db0833ba12036b CVE-2015-XXXX [Type Confusion Vulnerability in PHP_to_XMLRPC_worker()] - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.17+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u4 NOTE: Workaround entry for DLA-533-1 until CVE is assigned NOTE: https://git.php.net/?p=php-src.git;a=commit;h=f3c1863aa2721343245b63ac7bd68cfdc3dd41f3 NOTE: https://bugs.php.net/bug.php?id=70728 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2016/02/03/3 CVE-2015-XXXX [Session WDDX Packet Deserialization Type Confusion Vulnerability] - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.17+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u4 NOTE: Workaround entry for DLA-533-1 until CVE is assigned NOTE: https://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1 NOTE: https://bugs.php.net/bug.php?id=70741 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2016/02/03/3 CVE-2015-XXXX [Use-after-free in WDDX Packet Deserialization] - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.17+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u4 NOTE: Workaround entry for DLA-533-1 until CVE is assigned NOTE: https://git.php.net/?p=php-src.git;a=commit;h=366f9505a4aae98ef2f4ca39a838f628a324b746 NOTE: https://bugs.php.net/bug.php?id=70661 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2016/02/03/3 CVE-2015-8792 (The KaxInternalBlock::ReadData function in libMatroska before 1.4.4 al ...) {DSA-3526-1 DLA-420-1} - libmatroska 1.4.4-1 NOTE: http://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html NOTE: https://github.com/Matroska-Org/libmatroska/commit/0a2d3e3644a7453b6513db2f9bc270f77943573f CVE-2015-8789 (Use-after-free vulnerability in the EbmlMaster::Read function in libEB ...) {DSA-3538-1} - libebml 1.3.3-1 [squeeze] - libebml (Vulnerable code not present) NOTE: http://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html NOTE: https://github.com/Matroska-Org/libebml/commit/88409e2a94dd3b40ff81d08bf6d92f486d036b24 CVE-2015-8788 RESERVED CVE-2015-8787 (The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c i ...) - linux 4.3.5-1 [jessie] - linux (Vulnerable code introduced in v3.19-rc1) [wheezy] - linux (Vulnerable code introduced in v3.19-rc1) - linux-2.6 (Vulnerable code introduced in v3.19-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1300731 NOTE: https://lkml.org/lkml/2015/12/2/618 NOTE: Introduced by: https://git.kernel.org/linus/8b13eddfdf04cbfa561725cfc42d6868fe896f56 (v3.19-rc1) NOTE: Fixed by: https://git.kernel.org/linus/94f9cd81436c85d8c3a318ba92e236ede73752fc (v4.4-rc1) NOTE: https://www.openwall.com/lists/oss-security/2016/01/27/6 CVE-2015-8786 (The Management plugin in RabbitMQ before 3.6.1 allows remote authentic ...) - rabbitmq-server 3.6.5-1 [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (lengths_age or lengths_incr parameters are not present) NOTE: https://github.com/rabbitmq/rabbitmq-management/issues/97 CVE-2015-8780 (Samsung wssyncmlnps before 2015-10-31 allows directory traversal in a ...) NOT-FOR-US: Samsung CVE-2015-8783 (tif_luv.c in libtiff allows attackers to cause a denial of service (ou ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2522 NOTE: Commit: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/3 CVE-2015-8782 (tif_luv.c in libtiff allows attackers to cause a denial of service (ou ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2522 NOTE: Commit: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/3 CVE-2015-8781 (tif_luv.c in libtiff allows attackers to cause a denial of service (ou ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2522#0 NOTE: Commit: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/3 CVE-2015-8784 (The NeXTDecode function in tif_next.c in LibTIFF allows remote attacke ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2508 NOTE: Can be reproduced with tiff compiled with AddressSanitizer NOTE: and the same reproducer file http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif NOTE: Commit: https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/4 CVE-2015-XXXX [buffer overflows in init_cups] - cups-filters 1.6.0-1 (unimportant) - foomatic-filters (unimportant) [jessie] - foomatic-filters (Minor issue) [wheezy] - foomatic-filters (Minor issue) [squeeze] - foomatic-filters 4.0.5-6+squeeze2+deb6u13 NOTE: workaround entry for DLA-399-1 until/if CVE assigned NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=1336 NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7431 NOTE: Doesn't cross any security boundary CVE-2015-8775 RESERVED CVE-2015-8774 RESERVED CVE-2015-8773 (Stack-based buffer overflow in McPvDrv.sys 4.6.111.0 in McAfee File Lo ...) NOT-FOR-US: McAfee CVE-2015-8772 (McPvDrv.sys 4.6.111.0 in McAfee File Lock 5.x in McAfee Total Protecti ...) NOT-FOR-US: McAfee CVE-2015-8779 (Stack-based buffer overflow in the catopen function in the GNU C Libra ...) {DSA-3481-1 DSA-3480-1 DLA-411-1} - glibc 2.21-7 (bug #812455) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17905#c0 CVE-2015-8778 (Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 ...) {DSA-3481-1 DSA-3480-1 DLA-411-1} - glibc 2.21-8 (bug #812441) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18240 CVE-2015-8776 (The strftime function in the GNU C Library (aka glibc or libc6) before ...) {DSA-3481-1 DSA-3480-1 DLA-411-1} - glibc 2.21-7 (bug #812445) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18985 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7 CVE-2015-8771 (The generate_smb_nt_hash function in include/functions.inc in GOsa all ...) {DLA-562-1 DLA-408-1} - gosa 2.7.4+reloaded2-6 [jessie] - gosa 2.7.4+reloaded2-1+deb8u2 NOTE: https://github.com/gosa-project/gosa-core/commit/a67a047cba2cdae8bccb0f0e2bc6d3eb45cfcbc8 CVE-2015-8770 (Directory traversal vulnerability in the set_skin function in program/ ...) {DSA-3541-1 DLA-392-1} - roundcube 1.1.4+dfsg.1-1 NOTE: http://web.archive.org/web/20160329044421/http://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released NOTE: https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d CVE-2015-8769 (SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attacke ...) NOT-FOR-US: Joomla! CVE-2015-8768 (click/install.py in click does not require files in package filesystem ...) NOT-FOR-US: Click package manager NOTE: http://www.ubuntu.com/usn/usn-2771-1/ CVE-2015-8766 (Multiple cross-site scripting (XSS) vulnerabilities in content/content ...) NOT-FOR-US: Symphony CMS CVE-2015-8765 (Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, 5.1. ...) NOT-FOR-US: McAfee CVE-2015-8761 (The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly ...) NOT-FOR-US: Values module for Drupal CVE-2015-8760 (The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote att ...) NOT-FOR-US: TYPO3 CVE-2015-8759 (Cross-site scripting (XSS) vulnerability in the typoLink function in T ...) NOT-FOR-US: TYPO3 CVE-2015-8758 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified fro ...) NOT-FOR-US: TYPO3 CVE-2015-8757 (Cross-site scripting (XSS) vulnerability in the Extension Manager in T ...) NOT-FOR-US: TYPO3 CVE-2015-8756 (Cross-site scripting (XSS) vulnerability in the search result view in ...) NOT-FOR-US: TYPO3 CVE-2015-8755 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified bac ...) NOT-FOR-US: TYPO3 CVE-2015-8754 (The Mollom module 6.x-2.7 before 6.x-2.15 for Drupal allows remote att ...) NOT-FOR-US: Mollom module for Drupal CVE-2015-8753 (SAP Afaria 7.0.6001.5 allows remote attackers to bypass authorization ...) NOT-FOR-US: SAP Afaria CVE-2015-8752 REJECTED CVE-2015-8767 (net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not prope ...) {DSA-3448-1 DLA-412-1} - linux 4.3.1-1 [wheezy] - linux 3.2.73-2+deb7u3 - linux-2.6 NOTE: https://git.kernel.org/linus/635682a14427d241bab7bbdeebb48a7d7b91638e (v4.3-rc4) NOTE: https://www.openwall.com/lists/oss-security/2016/01/11/4 CVE-2015-XXXX [use after free / double free] - lighttpd 1.4.39-1 [jessie] - lighttpd (Regression introduced in 1.4.36) [wheezy] - lighttpd (Regression introduced in 1.4.36) [squeeze] - lighttpd (Regression introduced in 1.4.36) NOTE: http://redmine.lighttpd.net/issues/2700 NOTE: Introduced in 1.4.36: http://web.archive.org/web/20150906061055/http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2976 CVE-2015-8764 (Off-by-one error in the EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 ...) - freeradius (Affects 3.0 up to 3.0.8) NOTE: http://freeradius.org/security.html#eap-pwd-2015 CVE-2015-8763 (The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attac ...) - freeradius (Affects 3.0 up to 3.0.8) NOTE: http://freeradius.org/security.html#eap-pwd-2015 CVE-2015-8762 (The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attac ...) - freeradius (Affects 3.0 up to 3.0.8) NOTE: http://freeradius.org/security.html#eap-pwd-2015 CVE-2015-8751 (Integer overflow in the jas_matrix_create function in JasPer allows co ...) - jasper 1.900.1-5.1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1294039 NOTE: In 1.900.1-5.1 this issue was fixed as part of the patch for CVE-2008-3520 NOTE: like other distribution did. CVE-2015-8750 (libdwarf 20151114 and earlier allows remote attackers to cause a denia ...) {DLA-669-1 DLA-388-1} - dwarfutils 20160507-1 (bug #813182) [jessie] - dwarfutils 20120410-2+deb8u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1294264 NOTE: https://github.com/tomhughes/libdwarf/commit/11750a2838e52953013e3114ef27b3c7b1780697 CVE-2015-8749 (The volume_utils._parse_volume_info function in OpenStack Compute (Nov ...) - nova 2:13.0.0~rc3-1 [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: https://launchpad.net/bugs/1516765 NOTE: Affects: >= 2014.2 <= 2015.1.2, ==12.0.0 CVE-2015-8748 (Radicale before 1.1 allows remote authenticated users to bypass owner_ ...) {DSA-3462-1 DLA-403-1} - radicale 1.1.1-1 (bug #809920) CVE-2015-8747 (The multifilesystem storage backend in Radicale before 1.1 allows remo ...) {DSA-3462-1 DLA-403-1} - radicale 1.1.1-1 (bug #809920) CVE-2015-8746 (fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 d ...) - linux 4.3.1-1 [jessie] - linux 3.16.7-ckt20-1 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1295802 NOTE: Fixed by: https://git.kernel.org/linus/18e3b739fdc826481c6a1335ce0c5b19b3d415da (v4.3-rc1) NOTE: Fixed as well in v3.16.7-ckt18 (commit: 6a64d8c4c07c176abee384803f28fa1507963369) NOTE: Introduced by: https://git.kernel.org/linus/ec011fe847347b40c60fdb5085f65227762e2e08 (v3.13-rc1) CVE-2015-8604 (SQL injection vulnerability in the host_new_graphs function in graphs_ ...) {DSA-3494-1 DLA-386-1} - cacti 0.8.8f+ds1-4 NOTE: http://bugs.cacti.net/view.php?id=2652 NOTE: https://www.openwall.com/lists/oss-security/2016/01/04/8 CVE-2015-8742 (The dissect_CPMSetBindings function in epan/dissectors/packet-mswsp.c ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-60.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11931 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d48b0eff28c995947ac3f8d842ddd9b50dd5798d CVE-2015-8741 (The dissect_ppi function in epan/dissectors/packet-ppi.c in the PPI di ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2290eba5cb25f927f9142680193ac1158d35506e NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11876 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-59.html CVE-2015-8740 (The dissect_tds7_colmetadata_token function in epan/dissectors/packet- ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e78093f69f1e95df919bbe644baa06c7e4e720c0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11846 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-58.html CVE-2015-8739 (The ipmi_fmt_udpport function in epan/dissectors/packet-ipmi.c in the ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=96bf82ced0b58c7a4c2a6c300efeebe4f05c0ff4 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11831 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-57.html CVE-2015-8738 (The s7comm_decode_ud_cpu_szl_subfunc function in epan/dissectors/packe ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=858c3f0079f987833fb22eba2c361d1a88ba4103 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11823 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-56.html CVE-2015-8737 (The mp2t_open function in wiretap/mp2t.c in the MP2T file parser in Wi ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e3fc691368af60bbbaec9e038ee6a6d3b7707955 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11821 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-55.html CVE-2015-8736 (The mp2t_find_next_pcr function in wiretap/mp2t.c in the MP2T file par ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=baa3eab78b422616a92ee38551c1b1510dca4ccb NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11820 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-54.html CVE-2015-8735 (The get_value function in epan/dissectors/packet-btatt.c in the Blueto ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=83bad0215dae54e77d34f8b187900125f672366e NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11817 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-53.html CVE-2015-8734 (The dissect_nwp function in epan/dissectors/packet-nwp.c in the NWP di ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9b2c889abe0219fc162659e106c5b95deb6268f3 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11726 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-52.html CVE-2015-8733 (The ngsniffer_process_record function in wiretap/ngsniffer.c in the Sn ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=53a3e53fce30523d11ab3df319fba7b75d63076f NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11827 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-51.html CVE-2015-8732 (The dissect_zcl_pwr_prof_pwrprofstatersp function in epan/dissectors/p ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=eb0c034f6e4cdbf5ae36dd9ba8e2743630b7bd38 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9352616ec9742f2ed3d2802d0c8c100d51ca410b NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11830 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-50.html CVE-2015-8731 (The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c i ...) {DSA-3516-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2930d3105c3ff2bfb1278b34ad10e2e71c3b8fb0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11829 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-49.html NOTE: fix released in 2.0.1 is incomplete, but the rest is tracked under CVE-2016-2530 CVE-2015-8730 (epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12. ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d2644aef369af0667220b5bd69996915b29d753d NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11815 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-48.html CVE-2015-8729 (The ascend_seek function in wiretap/ascendtext.c in the Ascend file pa ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=338da1c0ea0b2f8595d3a7b6d6c9548f7da3e27b NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11794 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-47.html CVE-2015-8728 (The Mobile Identity parser in (1) epan/dissectors/packet-ansi_a.c in t ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark 1.8.2-5wheezy18 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=15edc8d714b11dcff3a04e5d00b8db9adfdb81ed NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11797 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-46.html CVE-2015-8727 (The dissect_rsvp_common function in epan/dissectors/packet-rsvp.c in t ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=56baca60271379cb97f6a4a6bf72eb526e8b52d0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11793 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-45.html CVE-2015-8726 (wiretap/vwr.c in the VeriWave file parser in Wireshark 1.12.x before 1 ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b8fa3d463c1bdd9b84c897441e7a5c8ad1f0f292 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=185911de7d337246044c8e99da2f5b4bac74c0d5 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11791 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11789 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-44.html CVE-2015-8725 (The dissect_diameter_base_framed_ipv6_prefix function in epan/dissecto ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark 1.8.2-5wheezy18 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=aaa28a9d39158ca1033bbd3372cf423abbf4f202 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11792 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-43.html CVE-2015-8724 (The AirPDcapDecryptWPABroadcastKey function in epan/crypt/airpdcap.c i ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 (unimportant) [wheezy] - wireshark 1.8.2-5wheezy18 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=83f2818118ae255db949bb3a4b3a26ebd1c5f7c5 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11826 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-42.html NOTE: Not suitable for code injection CVE-2015-8723 (The AirPDcapPacketProcess function in epan/crypt/airpdcap.c in the 802 ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark 1.8.2-5wheezy18 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=40b283181c63cb28bc6f58d80315eccca6650da0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11790 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-42.html CVE-2015-8722 (epan/dissectors/packet-sctp.c in the SCTP dissector in Wireshark 1.12. ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2259bf8a827088081bef101f98e4983de8aa8099 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1b32d505a59475d51d9b2bed5f0869d2d154e8b6 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11767 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-41.html CVE-2015-8721 (Buffer overflow in the tvb_uncompress function in epan/tvbuff_zlib.c i ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cec0593ae6c3bca65eff65741c2a10f3de3e0afe NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11548 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-40.html CVE-2015-8720 (The dissect_ber_GeneralizedTime function in epan/dissectors/packet-ber ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=921bb07115fbffc081ec56a5022b4a9d58db6d39 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-39.html CVE-2015-8719 (The dissect_dns_answer function in epan/dissectors/packet-dns.c in the ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=30651ab18b42e666f57ea239e58f3ff3a5e9c4ad NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10988 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-38.html CVE-2015-8718 (Double free vulnerability in epan/dissectors/packet-nlm.c in the NLM d ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=81dfe6d450ada42d12f20ac26a6d8ae2302df37e NOTE: http://www.wireshark.org/security/wnpa-sec-2015-37.html CVE-2015-8717 (The dissect_sdp function in epan/dissectors/packet-sdp.c in the SDP di ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2ddd92b6f8f587325b9e14598658626f3a007c5c NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9887 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-36.html CVE-2015-8716 (The init_t38_info_conv function in epan/dissectors/packet-t38.c in the ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=eb6ccb1b0c4ad02b828652c3fe6e8d51c30a315e NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9887 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-35.html CVE-2015-8715 (epan/dissectors/packet-alljoyn.c in the AllJoyn dissector in Wireshark ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=40caff2d1fb08262c84aaaa8ac584baa8866dd7c NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11607 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-34.html CVE-2015-8714 (The dissect_dcom_OBJREF function in epan/dissectors/packet-dcom.c in t ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d34267d0503a67235bf259fd2f2f2d2bb8b18cf5 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11610 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-33.html CVE-2015-8713 (epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=67b6d4f7e6f2117b40957fd51518aa2a3e659002 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11606 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-32.html CVE-2015-8712 (The dissect_hsdsch_channel_info function in epan/dissectors/packet-umt ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2ae329a47b7f0ac94089c23e79c6b8bc18ba80ea NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11602 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-32.html CVE-2015-8711 (epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12. ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5bf565690ad9f0771196d8fa237aa37fae3bb7cc NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5b4ada17723ed8af7e85cb48d537437ed614e417 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=23379ae3624df82c170f48e5bb3250a97ec61c13 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11841 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11835 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11602 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-31.html CVE-2015-8707 (Password reset tokens in Magento CE before 1.9.2.2, and Magento EE bef ...) NOT-FOR-US: Magento CVE-2015-8744 (QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC ...) {DSA-3471-1} - qemu 1:2.5+dfsg-1 [wheezy] - qemu (Vulnerable code introduced later) [squeeze] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code not present) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=a7278b36fcab9af469563bd7b9dadebe2ae25e48 (v2.5.0-rc0) NOTE: VMXNET3 device implementation introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=786fd2b0f87baded8c9e55307b99719eea3e016e (v1.5.0-rc0) CVE-2015-8745 (QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC ...) {DSA-3471-1} - qemu 1:2.5+dfsg-1 [wheezy] - qemu (Vulnerable code introduced later) [squeeze] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code not present) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=c6048f849c7e3f009786df76206e895a69de032c (v2.5.0-rc0) NOTE: VMXNET3 device implementation introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=786fd2b0f87baded8c9e55307b99719eea3e016e (v1.5.0-rc0) CVE-2015-8743 (QEMU (aka Quick Emulator) built with the NE2000 device emulation suppo ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-2 (bug #810519) [squeeze] - qemu (Unsupported in squeeze-lts) - qemu-kvm [squeeze] - qemu-kvm (Unsupported in squeeze-lts) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1264929 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00050.html NOTE: Introduced by (at least after): http://git.qemu.org/?p=qemu.git;a=commit;h=69b910399a3c40620a5213adaeb14a37366d97ac NOTE: https://www.openwall.com/lists/oss-security/2016/01/04/1 CVE-2015-8706 RESERVED CVE-2015-8705 (buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logg ...) - bind9 (Only affects 9.10.0->9.10.3-P2) NOTE: https://kb.isc.org/article/AA-01336 CVE-2015-8704 (apl_42.c in ISC BIND 9.x before 9.9.8-P3, 9.9.x, and 9.10.x before 9.1 ...) {DSA-3449-1 DLA-396-1} - bind9 1:9.10.3.dfsg.P4-6 (bug #812077) NOTE: https://kb.isc.org/article/AA-01335 CVE-2015-8703 (ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE and ZXV10 ...) NOT-FOR-US: ZTE router CVE-2015-8702 (The DNS::GetResult function in dns.cpp in InspIRCd before 2.0.19 allow ...) {DSA-3527-1 DLA-384-1} - inspircd 2.0.20-1 NOTE: https://github.com/inspircd/inspircd/commit/6058483d9fbc1b904d5ae7cfea47bfcde5c5b559 NOTE: http://www.inspircd.org/2015/04/16/v2019-released.html CVE-2015-8701 (QEMU (aka Quick Emulator) built with the Rocker switch emulation suppo ...) - qemu 1:2.5+dfsg-3 (bug #809313) [jessie] - qemu (Vulnerable code introduced after qemu 2.3) [wheezy] - qemu (Vulnerable code introduced after qemu 2.3) [squeeze] - qemu (Vulnerable code introduced after qemu 2.3) - qemu-kvm (Vulnerable code introduced after qemu 2.3) NOTE: https://www.openwall.com/lists/oss-security/2015/12/28/6 CVE-2015-8700 RESERVED CVE-2015-8699 (Multiple cross-site scripting (XSS) vulnerabilities in CA Release Auto ...) NOT-FOR-US: CA Release Automation CVE-2015-8698 (CA Release Automation (formerly LISA Release Automation) 5.0.2 before ...) NOT-FOR-US: CA Release Automation CVE-2015-8696 RESERVED CVE-2015-8695 RESERVED CVE-2015-8694 RESERVED CVE-2015-8693 RESERVED CVE-2015-8692 RESERVED CVE-2015-8691 RESERVED CVE-2015-8690 RESERVED CVE-2015-8689 RESERVED CVE-2015-8688 (Gajim before 0.16.5 allows remote attackers to modify the roster and i ...) {DSA-3492-1 DLA-413-1} - gajim 0.16.5-0.1 (bug #809900) NOTE: http://gultsch.de/gajim_roster_push_and_message_interception.html NOTE: https://trac.gajim.org/changeset/af78b7c068904d78c5dfb802826aae99f26a8947/ CVE-2015-8687 (Multiple cross-site scripting (XSS) vulnerabilities in the Management ...) NOT-FOR-US: Alcatel CVE-2015-8686 RESERVED CVE-2015-8685 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CR ...) - dolibarr 3.5.8+dfsg1-1 (bug #812449) [jessie] - dolibarr 3.5.5+dfsg1-1+deb8u1 NOTE: https://github.com/Dolibarr/dolibarr/issues/4291 NOTE: https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8 CVE-2015-8684 (Exponent CMS before 2.3.7 does not properly restrict the types of file ...) NOT-FOR-US: Exponent CMS CVE-2015-8682 (The Video0 driver in Huawei P8 smartphones with software GRA-UL00 befo ...) NOT-FOR-US: Huawei CVE-2015-8681 (The ovisp driver in Huawei P8 smartphones with software GRA-TL00 befor ...) NOT-FOR-US: Huawei CVE-2015-8680 (The Graphics driver in Huawei P8 smartphones with software GRA-TL00 be ...) NOT-FOR-US: Huawei CVE-2015-8679 (The Maxim_smartpa_dev driver in Huawei P8 smartphones with software GR ...) NOT-FOR-US: Huawei CVE-2015-8678 (The ION driver in Huawei P8 smartphones with software GRA-TL00 before ...) NOT-FOR-US: ION driver in Huawei P8 smartphones CVE-2015-8677 (Memory leak in Huawei S5300EI, S5300SI, S5310HI, and S6300EI Campus se ...) NOT-FOR-US: Huawei CVE-2015-8676 (Memory leak in Huawei S5300EI, S5300SI, S5310HI, S6300EI/ S2350EI, and ...) NOT-FOR-US: Huawei CVE-2015-8675 (Huawei S5300 Campus Series switches with software before V200R005SPH00 ...) NOT-FOR-US: Huawei CVE-2015-8674 REJECTED CVE-2015-8673 (Huawei TE30, TE40, TE50, and TE60 multimedia video conferencing endpoi ...) NOT-FOR-US: Huawei CVE-2015-8672 (The presentation transmission permission management mechanism in Huawe ...) NOT-FOR-US: Huawei CVE-2015-8671 (Huawei LogCenter V100R001C10 could allow an authenticated attacker to ...) NOT-FOR-US: Huawei CVE-2015-8670 (Huawei LogCenter V100R001C10 could allow an authenticated attacker to ...) NOT-FOR-US: Huawei CVE-2015-8667 (Cross-site scripting (XSS) vulnerability in Reset Your Password module ...) NOT-FOR-US: Exponent CMS CVE-2015-8664 (Integer overflow in the WebCursor::Deserialize function in content/com ...) - chromium-browser 47.0.2526.111-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8663 (The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.8. ...) {DLA-1611-1} - ffmpeg 7:2.8.4-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=abee0a1c60612e8638640a8a3738fffb65e16dbf NOTE: For libav in jessie the patch needs to applied in libavcodec/decode.c in line 1884. CVE-2015-8662 (The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg befor ...) {DLA-1611-1} - ffmpeg 7:2.8.4-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Vulnerable code not present) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5 CVE-2015-8661 (The h264_slice_header_init function in libavcodec/h264_slice.c in FFmp ...) {DLA-1611-1} - ffmpeg 7:2.8.3-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=4ea4d2f438c9a7eba37980c9a87be4b34943e4d5 CVE-2015-8658 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8657 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8656 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8655 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8654 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8653 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8652 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8651 (Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8650 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8649 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8648 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8647 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8646 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8645 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8644 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8643 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8642 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8641 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8640 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8639 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8638 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8637 REJECTED CVE-2015-8636 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8635 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8634 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8633 RESERVED CVE-2015-8632 RESERVED CVE-2015-8631 (Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MI ...) {DSA-3466-1 DLA-423-1} - krb5 1.13.2+dfsg-5 (bug #813126) NOTE: Fixed by: https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2 CVE-2015-8630 (The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functi ...) - krb5 1.13.2+dfsg-5 (bug #813127) [jessie] - krb5 1.12.1+dfsg-19+deb8u2 [wheezy] - krb5 (Vulnerability introduced in 1.12) [squeeze] - krb5 (Vulnerability introduced in 1.12) NOTE: Fixed by: https://github.com/krb5/krb5/commit/b863de7fbf080b15e347a736fdda0a82d42f4f6b NOTE: Introduced by: https://github.com/krb5/krb5/commit/0780e46fc13dbafa177525164997cd204cc50b51 (krb5-1.12-alpha1) CVE-2015-8629 (The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in ...) {DSA-3466-1 DLA-423-1} - krb5 1.13.2+dfsg-5 (bug #813296) NOTE: Fixed by: https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb CVE-2015-8620 (Heap-based buffer overflow in the Avast virtualization driver (aswSnx. ...) NOT-FOR-US: Avast CVE-2015-8669 (libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12 ...) - phpmyadmin 4:4.5.3.1-1 (unimportant) [squeeze] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2015-6/ NOTE: non-issue for Debian-packaged version CVE-2015-8668 (Heap-based buffer overflow in the PackBitsPreEncode function in tif_pa ...) {DLA-693-1} [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff 4.0.6-3 (bug #842046) - tiff3 [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563 NOTE: Red Hat say it's only OOB read: https://bugzilla.redhat.com/show_bug.cgi?id=1294425#c1 NOTE: Red Hat's patch is partially incorrect according to upstream NOTE: Issue was also marked as wontfix, because bmp2tiff utility has been removed NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4 NOTE: Reproducer file here: http://bugzilla.maptools.org/attachment.cgi?id=677 NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2015-8683 (The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 al ...) {DSA-3467-1 DLA-610-1 DLA-402-1} - tiff 4.0.6-1 (bug #809021) - tiff3 NOTE: https://www.openwall.com/lists/oss-security/2015/12/25/1 NOTE: https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 CVE-2015-8665 (tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a den ...) {DSA-3467-1 DLA-610-1 DLA-402-1} - tiff 4.0.6-1 (bug #808968) - tiff3 NOTE: https://www.openwall.com/lists/oss-security/2015/12/24/2 NOTE: https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 CVE-2015-8666 (Heap-based buffer overflow in QEMU, when built with the Q35-chipset-ba ...) {DLA-1497-1} - qemu 1:2.5+dfsg-1 [wheezy] - qemu (Minor issue) [squeeze] - qemu (Unsupported in squeeze-lts) - qemu-kvm [squeeze] - qemu-kvm (Unsupported in squeeze-lts) [wheezy] - qemu-kvm (Minor issue) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb (v2.5.0-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283722 NOTE: https://www.openwall.com/lists/oss-security/2015/12/24/1 NOTE: Vulnerable code introduced after 0.14.50: http://git.qemu.org/?p=qemu.git;a=commit;h=23910d3f669d46073b403876e30a7314599633af CVE-2015-8660 (The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel t ...) - linux 4.3.3-3 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=acff81ec2c79492b180fade3c2894425cd35a545 (v4.4-rc4) NOTE: OverlayFS introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c (v3.18-rc2) NOTE: https://www.openwall.com/lists/oss-security/2015/12/23/5 CVE-2015-8659 (The idle stream handling in nghttp2 before 1.6.0 allows attackers to h ...) - nghttp2 1.6.0-1 [jessie] - nghttp2 (Vulnerable code introduced later) NOTE: https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/ NOTE: Fixed by: https://github.com/tatsuhiro-t/nghttp2/commit/f8c30d022982d089fb90543c0cd5628b161d065d NOTE: Introduced at least after: https://github.com/tatsuhiro-t/nghttp2/commit/b2fb888363c08e98aae0638db62cdf7d164ea1d1 CVE-2015-8628 (The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContribution ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T109724 CVE-2015-8627 (MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T97897 CVE-2015-8626 (The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T115522 CVE-2015-8625 (MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, ...) - mediawiki (Vulnerable code not present) NOTE: https://phabricator.wikimedia.org/T118032 CVE-2015-8624 (The User::matchEditToken function in includes/User.php in MediaWiki be ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T119309 CVE-2015-8623 (The User::matchEditToken function in includes/User.php in MediaWiki be ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://gerrit.wikimedia.org/r/#/c/156336/5/includes/User.php CVE-2015-8622 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T117899 CVE-2015-8621 (t-coffee before 11.00.8cbe486-2 allows local users to write to ~/.t_co ...) - t-coffee 11.00.8cbe486-2 (low; bug #751579) [jessie] - t-coffee (Minor issue) [wheezy] - t-coffee (Minor issue) [squeeze] - t-coffee (version in Squeeze uses system() and umask is handled correctly by sh (as opposed to later versions that use mkdir())) CVE-2015-8617 (Format string vulnerability in the zend_throw_or_error function in Zen ...) - php7.0 7.0.1-1 NOTE: https://bugs.php.net/bug.php?id=71105 NOTE: https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e (php-7.0.2RC1) CVE-2015-8616 (Use-after-free vulnerability in the Collator::sortWithSortKeys functio ...) - php7.0 7.0.1-1 NOTE: https://bugs.php.net/bug.php?id=71020 NOTE: https://www.openwall.com/lists/oss-security/2015/12/22/4 CVE-2015-8697 (stalin 0.11-5 allows local users to write to arbitrary files. ...) - stalin (unimportant; bug #808730) [squeeze] - stalin (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/12/27/1 NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-8708 (Stack-based buffer overflow in the conv_euctojis function in codeconv. ...) - claws-mail 3.13.1-1.1 (bug #811048) [jessie] - claws-mail (Incomplete fix for CVE-2015-8614 not applied) [wheezy] - claws-mail (Incomplete fix for CVE-2015-8614 not applied) [squeeze] - claws-mail (Incomplete fix for CVE-2015-8614 not applied; instead all fixed included in DLA-383-1) - macopix (Incomplete fix not applied) CVE-2015-8614 (Multiple stack-based buffer overflows in the (1) conv_jistoeuc, (2) co ...) {DSA-3452-1 DLA-383-1} - claws-mail 3.13.1-1 - macopix 1.7.4-6 [jessie] - macopix (Minor issue) [wheezy] - macopix (Minor issue) NOTE: http://git.claws-mail.org/?p=claws.git;a=commit;h=d390fa07f5548f3173dd9cc13b233db5ce934c82 (3.13.1) NOTE: http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e3ffcb455e0376053451ce968e6c71ef37708222 (not yet in tagged release) NOTE: Upstream patch is broken - first comparison uses wrong operator and others appear NOTE: to assume wrong maximum character length. NOTE: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557 NOTE: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3584 NOTE: https://bugs.gentoo.org/show_bug.cgi?id=569010 CVE-2015-8611 (BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, and P ...) NOT-FOR-US: BIG-IP CVE-2015-8613 (Stack-based buffer overflow in the megasas_ctrl_get_info function in Q ...) {DSA-3471-1} - qemu 1:2.5+dfsg-3 (bug #809232) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1284008 NOTE: https://www.openwall.com/lists/oss-security/2015/12/21/7 NOTE: LSI Megaraid SAS HBA emulation introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e8f943c3bcc2a578bfd30b825f2ebaf345c63a09 (v1.2.0-rc0) CVE-2015-8618 (The Int.Exp Montgomery code in the math/big library in Go 1.5.x before ...) - golang 2:1.5.3-1 (bug #809168) [jessie] - golang (Introduced in 1.5 release) [wheezy] - golang (Introduced in 1.5 release) NOTE: https://go-review.googlesource.com/#/c/17672/ NOTE: Introduced in 1.5 release. Fixed in 1.5.3 upstream. NOTE: https://www.openwall.com/lists/oss-security/2015/12/21/6 CVE-2015-8615 (The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 doe ...) {DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [jessie] - xen (Only affects 4.6) [wheezy] - xen (Only affects 4.6) [squeeze] - xen (Only affects 4.6) NOTE: http://xenbits.xen.org/xsa/advisory-169.html CVE-2015-8619 (The Human Monitor Interface support in QEMU allows remote attackers to ...) {DSA-3471-1} - qemu 1:2.5+dfsg-5 (bug #809237) [wheezy] - qemu (Issue introduced afer 1.2) [squeeze] - qemu (Issue introduced afer 1.2) - qemu-kvm [wheezy] - qemu-kvm (Introduced after 1.2) NOTE: According maintainer in https://bugs.debian.org/809237#17 introduced after 1.2 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283926 CVE-2015-8610 RESERVED CVE-2015-8609 RESERVED CVE-2015-8608 (The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow rem ...) - perl (Only affects Perl on Windows) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=126755 CVE-2015-8607 (The canonpath function in the File::Spec module in PathTools before 3. ...) {DSA-3441-1} - perl 5.22.1-4 (bug #810719) [wheezy] - perl (Introduced in 5.20.0) [squeeze] - perl (Introduced in 5.20.0) - libfile-spec-perl [wheezy] - libfile-spec-perl (Introduced in 3.47) [squeeze] - libfile-spec-perl (Introduced in 3.47) NOTE: http://perl5.git.perl.org/perl.git/commit/130509aa42a87eef258fab0182ee2c7ad16baa8b NOTE: https://rt.perl.org/Public/Bug/Display.html?id=126862 CVE-2015-8606 (Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CM ...) NOT-FOR-US: SilverStripe CVE-2015-8605 (ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 a ...) {DSA-3442-1 DLA-385-2 DLA-385-1} - isc-dhcp 4.3.3-7 (bug #810875) NOTE: https://kb.isc.org/article/AA-01334 CVE-2015-8603 (Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 a ...) - serendipity CVE-2015-8602 (The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does ...) NOT-FOR-US: Token Insert Entity module for Drupal CVE-2015-8601 (The Chat Room module 7.x-2.x before 7.x-2.2 for Drupal does not proper ...) NOT-FOR-US: Chat Room module for Drupal CVE-2015-8600 (The SysAdminWebTool servlets in SAP Mobile Platform allow remote attac ...) NOT-FOR-US: SAP CVE-2015-8599 RESERVED CVE-2015-8598 RESERVED CVE-2015-8597 (Open redirect vulnerability in Blue Coat ProxySG 6.5 before 6.5.8.8 an ...) NOT-FOR-US: Blue Coat CVE-2015-8596 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8595 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8594 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8593 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8592 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8612 (The EnableNetwork method in the Network class in plugins/mechanism/Net ...) {DSA-3427-1} - blueman 2.0.3-1 [squeeze] - blueman (vulnerable code not present) NOTE: https://github.com/blueman-project/blueman/security/advisories/GHSA-59mx-cfv4-h4hw NOTE: https://twitter.com/thegrugq/status/677809527882813440 NOTE: https://github.com/blueman-project/blueman/commit/a3845bbed5fdddf14daec436b7e74f62719a71c1 NOTE: https://www.openwall.com/lists/oss-security/2015/12/18/6 CVE-2015-8709 (** DISPUTED ** kernel/ptrace.c in the Linux kernel through 4.4.1 misha ...) - linux 4.3.3-3 [jessie] - linux 3.16.7-ckt20-1+deb8u2 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/12/17/12 NOTE: https://lkml.org/lkml/2015/12/12/259 CVE-2015-8591 REJECTED CVE-2015-8590 REJECTED CVE-2015-8589 REJECTED CVE-2015-8588 REJECTED CVE-2015-8587 REJECTED CVE-2015-8586 REJECTED CVE-2015-8585 REJECTED CVE-2015-8584 REJECTED CVE-2015-8583 REJECTED CVE-2015-8582 REJECTED CVE-2015-8581 REJECTED CVE-2015-8580 (Multiple use-after-free vulnerabilities in the (1) Print method and (2 ...) NOT-FOR-US: Foxit CVE-2015-8579 (Kaspersky Total Security 2015 15.0.2.361 allocates memory with Read, W ...) NOT-FOR-US: Kaspersky CVE-2015-8578 (AVG Internet Security 2015 allocates memory with Read, Write, Execute ...) NOT-FOR-US: AVG CVE-2015-8577 (The Buffer Overflow Protection (BOP) feature in McAfee VirusScan Enter ...) NOT-FOR-US: McAfee CVE-2015-8576 REJECTED CVE-2015-8574 REJECTED CVE-2015-8573 REJECTED CVE-2015-XXXX [XSA-166: ioreq handling possibly susceptible to multiple read issue] - xen 4.8.0~rc3-1 [jessie] - xen 4.4.1-9+deb8u4 [wheezy] - xen 4.1.6.lts1-1 [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-166.html CVE-2015-8572 (Multiple buffer overflows in Autodesk Design Review (ADR) before 2013 ...) NOT-FOR-US: Autodesk CVE-2015-8571 (Integer overflow in Autodesk Design Review (ADR) before 2013 Hotfix 2 ...) NOT-FOR-US: Autodesk CVE-2015-8570 (The password reset functionality in Lepide Active Directory Self Servi ...) NOT-FOR-US: Lepide CVE-2015-8575 (The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel ...) {DSA-3434-1 DLA-378-1} - linux 4.3.3-3 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5233252fce714053f0151680933571a2da9cbfb4 (v4.4-rc6) CVE-2015-8566 (The Session package 1.x before 1.3.1 for Joomla! Framework allows remo ...) NOT-FOR-US: Session package for Joomla CVE-2015-8565 (Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and 3 ...) NOT-FOR-US: Joomla! CVE-2015-8564 (Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows ...) NOT-FOR-US: Joomla! CVE-2015-8563 (Cross-site request forgery (CSRF) vulnerability in the com_templates c ...) NOT-FOR-US: Joomla! CVE-2015-8562 (Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to con ...) NOT-FOR-US: Joomla! CVE-2015-8561 (The F1BookView ActiveX control in F1 Bookview in Schneider Electric Pr ...) NOT-FOR-US: F1BookView CVE-2015-8555 (Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-165.html CVE-2015-8554 (Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using th ...) {DLA-479-1} - xen 4.4.0-1 [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-164.html CVE-2015-8553 (Xen allows guest OS users to obtain sensitive information from uniniti ...) {DSA-4497-1} - linux 4.19.37-1 [jessie] - linux (Intrusive; breaks qemu as used in Jessie; cf. kernel-sec for more details) [wheezy] - linux (Intrusive; breaks qemu as used in Wheezy; cf. kernel-sec for more details) - linux-2.6 [squeeze] - linux-2.6 (Xen not supported in Squeeze LTS) NOTE: CVE for the incomplete patches from XSA-120 and supplied in NOTE: XSA-120 v5+ addendum patch. NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1289128#c2 NOTE: http://xenbits.xen.org/xsa/advisory-120.html NOTE: Patch is discussed in http://thread.gmane.org/gmane.comp.emulators.xen.devel/140440/focus=140441 NOTE: and http://thread.gmane.org/gmane.linux.kernel/1924087/focus=1924088 NOTE: https://git.kernel.org/linus/7681f31ec9cdacab4fd10570be924f2cef6669ba CVE-2015-8552 (The PCI backend driver in Xen, when running on an x86 system and using ...) {DSA-3434-1} [experimental] - linux 4.4~rc6-1~exp1 - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (Xen not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-157.html NOTE: https://git.kernel.org/linus/56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d NOTE: https://git.kernel.org/linus/5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9 NOTE: https://git.kernel.org/linus/a396f3a210c3a61e94d6b87ec05a75d0be2a60d0 NOTE: https://git.kernel.org/linus/7cfb905b9638982862f0331b36ccaaca5d383b49 NOTE: https://git.kernel.org/linus/408fb0e5aa7fda0059db282ff58c3b2a4278baa0 CVE-2015-8551 (The PCI backend driver in Xen, when running on an x86 system and using ...) {DSA-3434-1} [experimental] - linux 4.4~rc6-1~exp1 - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (Xen not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-157.html NOTE: https://git.kernel.org/linus/56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d NOTE: https://git.kernel.org/linus/5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9 NOTE: https://git.kernel.org/linus/a396f3a210c3a61e94d6b87ec05a75d0be2a60d0 NOTE: https://git.kernel.org/linus/7cfb905b9638982862f0331b36ccaaca5d383b49 NOTE: https://git.kernel.org/linus/408fb0e5aa7fda0059db282ff58c3b2a4278baa0 CVE-2015-8550 (Xen, when used on a system providing PV backends, allows local guest O ...) {DSA-3519-1 DSA-3471-1 DSA-3434-1 DLA-479-1} [experimental] - linux 4.4~rc6-1~exp1 - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (Xen not supported in Squeeze LTS) - qemu 1:2.5+dfsg-2 (bug #809229) [wheezy] - qemu (vulnerable code not present) [squeeze] - qemu (vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (vulnerable code not present) [squeeze] - qemu-kvm (vulnerable code not present) - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-155.html NOTE: https://git.kernel.org/linus/454d5d882c7e412b840e3c99010fe81a9862f6fb NOTE: https://git.kernel.org/linus/0f589967a73f1f30ab4ac4dd9ce0bb399b4d6357 NOTE: https://git.kernel.org/linus/68a33bfd8403e4e22847165d149823a2e0e67c9c NOTE: https://git.kernel.org/linus/1f13d75ccb806260079e0679d55d9253e370ec8a NOTE: https://git.kernel.org/linus/18779149101c0dd43ded43669ae2a92d21b6f9cb NOTE: https://git.kernel.org/linus/be69746ec12f35b484707da505c6c76ff06f97dc NOTE: https://git.kernel.org/linus/8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 CVE-2015-8549 (XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows r ...) - pyamf CVE-2015-8569 (The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pp ...) {DSA-3434-1} - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2015/12/15/7 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=09ccfd238e5a0e670d8178cf50180ea81ae09ae1 (v4.4-rc6) NOTE: pptp_{connect,bind} introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=00959ade36acadc00e757f87060bf6e4501d545f (v2.6.37-rc1) NOTE: https://lkml.org/lkml/2015/12/14/252 CVE-2015-8568 (Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC ...) {DSA-3471-1} - qemu 1:2.5+dfsg-3 (bug #808145) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html NOTE: https://www.openwall.com/lists/oss-security/2015/12/15/4 CVE-2015-8567 (Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause ...) {DSA-3471-1} - qemu 1:2.5+dfsg-3 (bug #808145) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html NOTE: https://www.openwall.com/lists/oss-security/2015/12/15/4 CVE-2015-8559 (The knife bootstrap command in chef Infra client before version 15.4.4 ...) - chef (low; bug #809670) [buster] - chef (Minor issue; workaround using validatorless bootstrapping) [stretch] - chef (Minor issue; workaround using validatorless bootstrapping) [jessie] - chef (Minor issue; workaround using validatorless bootstrapping) [wheezy] - chef (Minor issue; workaround using validatorless bootstrapping) NOTE: https://github.com/chef/chef/issues/3871 NOTE: https://github.com/chef/chef/pull/8885 NOTE: https://www.openwall.com/lists/oss-security/2015/12/14/10 NOTE: Workaround: use validatorless bootstrapping CVE-2015-8558 (The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows loca ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-2 (bug #808144) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254 NOTE: https://www.openwall.com/lists/oss-security/2015/12/14/9 CVE-2015-8557 (The FontManager._get_nix_font_path function in formatters/img.py in Py ...) {DSA-3445-1 DLA-369-1} - pygments 2.0.1+dfsg-2 (bug #802828) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1276321 NOTE: https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92f NOTE: https://www.openwall.com/lists/oss-security/2015/12/14/6 CVE-2015-8548 (Multiple unspecified vulnerabilities in Google V8 before 4.7.80.23, as ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8546 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2015-8545 RESERVED CVE-2015-8544 (NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1 ...) NOT-FOR-US: NetApp CVE-2015-8542 (An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The " ...) NOT-FOR-US: Open-Xchange CVE-2015-8556 (Local privilege escalation vulnerability in the Gentoo QEMU package be ...) - qemu (Issue specific to virtfs-proxy-helper in Gentoo installed suid) NOTE: https://www.openwall.com/lists/oss-security/2015/12/14/5 CVE-2015-8785 (The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kern ...) {DSA-3503-1 DLA-412-1} - linux 4.3.5-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ca8138f014a913f98e6ef40e939868e1e9ea876 (v4.4-rc5) NOTE: Introduced in: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ea9b9907b82a09bd1a708004454f7065de77c5b0 (v2.6.26-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1290642 NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/1 CVE-2015-XXXX [remotely triggerable crash] - ruby-eventmachine 1.0.7-1 (bug #678512; bug #696015) [jessie] - ruby-eventmachine 1.0.3-6+deb8u1 [wheezy] - ruby-eventmachine 0.12.10-3+deb7u1 NOTE: Workaround entry for DLA-549-1 until CVE assigned NOTE: https://github.com/eventmachine/eventmachine/issues/501#issuecomment-37307556 CVE-2015-8560 (Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-f ...) {DSA-3429-1 DSA-3419-1 DLA-371-1} - cups-filters 1.4.0-1 (bug #807930) [wheezy] - cups-filters (Vulnerable code not present; introduced in 1.0.42) - foomatic-filters 4.0.17-7 (bug #807993) NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419 NOTE: https://www.openwall.com/lists/oss-security/2015/12/13/2 CVE-2015-9097 (The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is ...) {DLA-489-1} - ruby-mail 2.6.1+dfsg1-1 NOTE: https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/12/11/3 NOTE: Fixed in 2.6.0 NOTE: "Note that, this patch might not be complete ..." https://bugzilla.redhat.com/show_bug.cgi?id=1293598 CVE-2015-8547 (The CoreUserInputHandler::doMode function in core/coreuserinputhandler ...) - quassel 1:0.12.2-3 (bug #807801) [jessie] - quassel 1:0.10.0-2.3+deb8u2 [wheezy] - quassel (Vulnerable code not present) [squeeze] - quassel (Vulnerable code not present) NOTE: https://github.com/quassel/quassel/commit/b8edbda019eeb99da8663193e224efc9d1265dc7 NOTE: Support for oping a whole channel with /op * was only added in NOTE: https://github.com/quassel/quassel/commit/7ecbc1bf921880f7b03af779de7d9611853a0d46 (0.10-beta1) NOTE: https://www.openwall.com/lists/oss-security/2015/12/12/1 CVE-2015-8541 RESERVED CVE-2015-8536 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-8535 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-8534 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-8540 (Integer underflow in the png_check_keyword function in pngwutil.c in l ...) {DSA-3443-1 DLA-375-1} - libpng (bug #807694) NOTE: https://www.openwall.com/lists/oss-security/2015/12/10/6 NOTE: https://sourceforge.net/p/libpng/bugs/244/ NOTE: http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/ NOTE: Fixed in 1.0.66, 1.2.56, 1.4.19, and 1.5.26 CVE-2015-8543 (The networking implementation in the Linux kernel through 4.3.3, as us ...) {DLA-378-1} - linux 4.3.3-1 [jessie] - linux 3.16.7-ckt20-1+deb8u1 [wheezy] - linux 3.2.73-2+deb7u2 - linux-2.6 NOTE: https://www.openwall.com/lists/oss-security/2015/12/09/3 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9 (v4.4-rc6) CVE-2015-8539 (The KEYS subsystem in the Linux kernel before 4.4 allows local users t ...) - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd (v4.4-rc3) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=146aa8b1453bd8f1ff2304ffb71b4ee0eb9acdcc (v4.4-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1284450 NOTE: https://www.openwall.com/lists/oss-security/2015/12/09/1 CVE-2015-8538 (dwarf_leb.c in libdwarf allows attackers to cause a denial of service ...) {DLA-669-1} - dwarfutils 20160507-1 (bug #807817) [jessie] - dwarfutils 20120410-2+deb8u1 [squeeze] - dwarfutils (No segfault with provided test case) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1289385 NOTE: https://www.openwall.com/lists/oss-security/2015/12/09/2 NOTE: http://sourceforge.net/p/libdwarf/code/ci/da724a0bc5eec8e9ec0b0cb0c238a80e34466459/ CVE-2015-8533 REJECTED CVE-2015-8532 REJECTED CVE-2015-8531 (Cross-site scripting (XSS) vulnerability in IBM Security Access Manage ...) NOT-FOR-US: IBM CVE-2015-8530 (Stack-based buffer overflow in the Initialize function in an ActiveX c ...) NOT-FOR-US: IBM CVE-2015-8529 RESERVED CVE-2015-8528 REJECTED CVE-2015-8527 REJECTED CVE-2015-8526 REJECTED CVE-2015-8525 REJECTED CVE-2015-8524 (Cross-site scripting (XSS) vulnerability in Process Portal in IBM Busi ...) NOT-FOR-US: IBM CVE-2015-8523 (The server in IBM Tivoli Storage Manager FastBack 5.5.x and 6.x before ...) NOT-FOR-US: IBM CVE-2015-8522 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 5 ...) NOT-FOR-US: IBM CVE-2015-8521 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 5 ...) NOT-FOR-US: IBM CVE-2015-8520 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 5 ...) NOT-FOR-US: IBM CVE-2015-8519 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 5 ...) NOT-FOR-US: IBM CVE-2015-8518 RESERVED CVE-2015-8517 REJECTED CVE-2015-8516 REJECTED CVE-2015-8515 REJECTED CVE-2015-8514 REJECTED CVE-2015-8513 REJECTED CVE-2015-8512 (The lockscreen feature in Mozilla Firefox OS before 2.5 does not prope ...) NOT-FOR-US: Firefox OS CVE-2015-8511 (Race condition in the lockscreen feature in Mozilla Firefox OS before ...) NOT-FOR-US: Firefox OS CVE-2015-8510 (Cross-site scripting (XSS) vulnerability in the internationalization f ...) NOT-FOR-US: Firefox OS CVE-2015-8509 (Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4 ...) - bugzilla4 (bug #669643) CVE-2015-8508 (Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in ...) - bugzilla4 (bug #669643) CVE-2015-8507 (mediaserver in Android 6.0 before 2015-12-01 allows remote attackers t ...) NOT-FOR-US: Android CVE-2015-8506 (mediaserver in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 a ...) NOT-FOR-US: Android CVE-2015-8505 (mediaserver in Android before 5.1.1 LMY48Z allows remote attackers to ...) NOT-FOR-US: Android CVE-2015-8503 RESERVED CVE-2015-8502 REJECTED CVE-2015-8501 REJECTED CVE-2015-8500 REJECTED CVE-2015-8499 REJECTED CVE-2015-8498 REJECTED CVE-2015-8497 REJECTED CVE-2015-8496 REJECTED CVE-2015-8495 REJECTED CVE-2015-8494 REJECTED CVE-2015-8493 REJECTED CVE-2015-8492 REJECTED CVE-2015-8491 REJECTED CVE-2015-8490 REJECTED CVE-2015-8489 (customapp in Cybozu Office 9.9.0 through 10.3.0 allows remote authenti ...) NOT-FOR-US: Cybozu Office CVE-2015-8488 (Cybozu Office 10.3.0 allows remote attackers to read image files via a ...) NOT-FOR-US: Cybozu Office CVE-2015-8487 (Cybozu Office 9.0.0 through 10.3 allows remote attackers to discover C ...) NOT-FOR-US: Cybozu Office CVE-2015-8486 (Cybozu Office 9.9.0 through 10.3.0 allows remote authenticated users t ...) NOT-FOR-US: Cybozu Office CVE-2015-8485 (Cybozu Office 9.9.0 through 10.3.0 allows remote authenticated users t ...) NOT-FOR-US: Cybozu Office CVE-2015-8484 (Cybozu Office 9.9.0 through 10.3.0 allows remote authenticated users t ...) NOT-FOR-US: Cybozu Office CVE-2015-8483 (Open redirect vulnerability in Cybozu Office 10.2.0 through 10.3.0 all ...) NOT-FOR-US: Cybozu Office CVE-2015-8482 (Blue Coat Unified Agent before 4.6.2 does not prevent modification of ...) NOT-FOR-US: Blue Coat Unified Agent CVE-2015-8481 (Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA S ...) NOT-FOR-US: Atlassian CVE-2015-8504 (Qemu, when built with VNC display driver support, allows remote attack ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-1 (bug #808130) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Fixed by http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 (v2.5.0-rc3) NOTE: Issue possibly introduced after http://git.qemu.org/?p=qemu.git;a=commitdiff;h=6cec5487990bf3f1f22b3fcb871978255e92ae0d (v0.10.0) NOTE: https://www.openwall.com/lists/oss-security/2015/12/08/4 CVE-2015-8480 (The VideoFramePool::PoolImpl::CreateFrame function in media/base/video ...) - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8479 (Use-after-free vulnerability in the AudioOutputDevice::OnDeviceAuthori ...) - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8478 (Multiple unspecified vulnerabilities in Google V8 before 4.7.80.23, as ...) - chromium-browser 47.0.2526-73-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2015-8475 RESERVED CVE-2015-8471 RESERVED NOT-FOR-US: ATutor CVE-2015-8470 (The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not s ...) NOT-FOR-US: Puppet Enterprise CVE-2015-8469 RESERVED CVE-2015-8468 RESERVED CVE-2015-8467 (The samldb_check_user_account_control_acl function in dsdb/samdb/ldb_m ...) {DSA-3433-1} - samba 2:4.1.22+dfsg-1 [wheezy] - samba (Only affects 4.0.0 to 4.3.2) [squeeze] - samba (Only affects 4.0.0 to 4.3.2) NOTE: https://www.samba.org/samba/security/CVE-2015-8467.html CVE-2015-8466 (Swift3 before 1.9 allows remote attackers to conduct replay attacks vi ...) {DSA-3583-1} - swift-plugin-s3 1.9-1 (bug #822688) CVE-2015-XXXX [uses non-random tempdir /tmp/tmprepo.0/.git/] - git-repair 1.20151215-1 (unimportant; bug #807341) NOTE: Non-exploitable on release archs due to kernel hardening CVE-2015-8537 (app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before ...) {DSA-3529-1} - redmine 3.2.0-1 (bug #807826) [squeeze] - redmine (Vulnerable code not present in 1.0.1) [wheezy] - redmine (Redmine not supported because of rails) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/21419 (private) NOTE: https://github.com/redmine/redmine/commit/7e423fb4538247d59e01958c48b491f196a1de56 NOTE: upstream fixed in 2.6.9, 3.0.6 and 3.1.3 NOTE: https://www.openwall.com/lists/oss-security/2015/12/08/8 CVE-2015-8476 (Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 all ...) {DSA-3416-1 DLA-363-1} - libphp-phpmailer 5.2.14+dfsg-1 (bug #807265) NOTE: https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0 (v5.2.14) CVE-2015-8474 (Open redirect vulnerability in the valid_back_url function in app/cont ...) {DSA-3529-1} - redmine 3.2.0-1 (bug #807272) [squeeze] - redmine (Redmine not supported because of rails) [wheezy] - redmine (Redmine not supported because of rails) NOTE: http://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/19577 (private) NOTE: commit: https://github.com/redmine/redmine/commit/032f2c9be6520d9d1a1608aa4f1d5d1f184f2472 NOTE: upstream fixed in 2.6.7, 3.0.5 and 3.1.1 NOTE: https://www.openwall.com/lists/oss-security/2015/12/04/1 NOTE: depends on the CVE-2014-1985 fix first CVE-2015-8473 (The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x ...) {DSA-3529-1} - redmine 3.2.0-1 (bug #807345) [squeeze] - redmine (code dates from the API changes introduced in 735a83c, part of 1.1) [wheezy] - redmine (Redmine not supported because of rails) NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_3_0 NOTE: https://www.redmine.org/issues/21136 NOTE: https://www.openwall.com/lists/oss-security/2015/12/03/7 NOTE: https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22 CVE-2015-8465 RESERVED CVE-2015-8464 RESERVED CVE-2015-8463 RESERVED CVE-2015-8462 RESERVED CVE-2015-8461 (Race condition in resolver.c in named in ISC BIND 9.9.8 before 9.9.8-P ...) - bind9 (Only affects 9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 -> 9.10.3-P1) NOTE: https://kb.isc.org/article/AA-01319 CVE-2015-8460 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8459 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8458 (Heap-based buffer overflow in AGM.dll in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-8457 (Stack-based buffer overflow in Adobe Flash Player before 18.0.0.268 an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8456 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8455 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8454 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8453 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8452 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8451 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8450 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8449 (Use-after-free vulnerability in the MovieClip object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8448 (Use-after-free vulnerability in the DisplacementMapFilter object imple ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8447 (Use-after-free vulnerability in the Color object implementation in Ado ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8446 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.268 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8445 (Integer overflow in the Shader filter implementation in Adobe Flash Pl ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8444 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8443 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8442 (Use-after-free vulnerability in the MovieClip object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8441 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8440 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8439 (The SharedObject object implementation in Adobe Flash Player before 18 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8438 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.268 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8437 (Use-after-free vulnerability in the Selection object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8436 (Use-after-free vulnerability in the PrintJob object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8435 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8434 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8433 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8432 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8431 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8430 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8429 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8428 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8427 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8426 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8425 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8424 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8423 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8422 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8421 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8420 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8419 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8418 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8417 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8416 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8415 (Buffer overflow in Adobe Flash Player before 18.0.0.268 and 19.x and 2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8414 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8413 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8412 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8411 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8410 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8409 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8408 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8407 (Stack-based buffer overflow in Adobe Flash Player before 18.0.0.268 an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8406 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8405 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8404 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8403 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8402 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8401 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8399 (Atlassian Confluence before 5.8.17 allows remote authenticated users t ...) NOT-FOR-US: Atlassian Confluence CVE-2015-8398 (Cross-site scripting (XSS) vulnerability in Atlassian Confluence befor ...) NOT-FOR-US: Atlassian Confluence CVE-2015-8397 (The JPEGLSCodec::DecodeExtent function in MediaStorageAndFileFormat/gd ...) - gdcm 2.6.2-1 [jessie] - gdcm 2.4.4-3+deb8u1 [wheezy] - gdcm (Vulnerable code not present) [squeeze] - gdcm (Vulnerable code not present) NOTE: http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/e547b1ded3fd21e0b0ad149f13045aa12d4b9b7c/ CVE-2015-8396 (Integer overflow in the ImageRegionReader::ReadIntoBuffer function in ...) - gdcm 2.6.2-1 [jessie] - gdcm 2.4.4-3+deb8u1 [wheezy] - gdcm (Minor issue) [squeeze] - gdcm (Vulnerable code not present) NOTE: http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/0f6f82052484774d072784f32105cecc79c45c19/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/92cd6d7fe0d01c61cf68ac4ef65ef388ee252415/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/9cbca25ff7f20c432b61eb9f4cae43a946502b66/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/e0dd1114c82d372dd905c029ddbee4e81ed01a89/ CVE-2015-8379 (CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypas ...) - cakephp 2.8.0-1 (bug #832316) [jessie] - cakephp (Minor issue) [wheezy] - cakephp (vulnerable code not present) NOTE: http://karmainsecurity.com/KIS-2016-01 NOTE: https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0 CVE-2015-8400 (The HTTPS fallback implementation in Shell In A Box (aka shellinabox) ...) - shellinabox 2.19 [jessie] - shellinabox (Minor issue) [wheezy] - shellinabox (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/12/02/6 CVE-2015-8377 (SQL injection vulnerability in the host_new_graphs_save function in gr ...) {DSA-3494-1 DLA-374-1} - cacti 0.8.8f+ds1-4 NOTE: http://bugs.cacti.net/view.php?id=2655 NOTE: http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt CVE-2015-XXXX [Avoid unbounded SFTP extended attribute key/values] - proftpd-dfsg 1.3.5b-1 [jessie] - proftpd-dfsg 1.3.5e-0+deb8u1 [wheezy] - proftpd-dfsg (Minor issue; can be fixed in point release) [squeeze] - proftpd-dfsg (Vulnerable code not present) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4210 NOTE: https://github.com/proftpd/proftpd/pull/171 CVE-2015-8376 (Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2. ...) NOT-FOR-US: Microsoft CVE-2015-8373 (The kea-dhcp4 and kea-dhcp6 servers 0.9.2 and 1.0.0-beta in ISC Kea, w ...) - isc-kea (Fixed before the initial version uploaded to Debian) CVE-2015-8372 RESERVED CVE-2015-8371 [Composer Cache Injection vulnerability] RESERVED - composer 1.0.0~alpha11-3 NOTE: http://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html CVE-2015-8370 (Multiple integer underflows in Grub2 1.98 through 2.02 allow physicall ...) {DSA-3421-1 DLA-368-1} - grub2 2.02~beta2-33 (bug #807614) NOTE: https://twitter.com/lostinsecurity/status/674925944524640257 NOTE: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html CVE-2015-8369 (SQL injection vulnerability in include/top_graph_header.php in Cacti 0 ...) {DSA-3423-1 DLA-374-1} - cacti 0.8.8f+ds1-3 (bug #807599) NOTE: http://bugs.cacti.net/view.php?id=2646 CVE-2015-8378 (In KeePassX before 0.4.4, a cleartext copy of password data is created ...) - keepassx 0.4.3+dfsg-1 (bug #791858) [jessie] - keepassx 0.4.3+dfsg-0.1+deb8u1 [wheezy] - keepassx (Minor issue) [squeeze] - keepassx (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/11/30/4 CVE-2015-8375 (Cross-site scripting (XSS) vulnerability in PHP-Fusion 9. ...) NOT-FOR-US: PHP-Fusion CVE-2015-8368 (ntopng (aka ntop) before 2.2 allows remote authenticated users to chan ...) - ntopng 2.2+dfsg1-1 (bug #816190) [jessie] - ntopng (Minor issue) NOTE: fixed upstream in 2.2 NOTE: https://www.exploit-db.com/exploits/38836/ NOTE: https://github.com/ntop/ntopng/commit/2e0620be3410f5e22c9aa47e261bc5a12be692c6 CVE-2015-8367 (The phase_one_correct function in Libraw before 0.17.1 allows attacker ...) - libraw 0.17.1-1 (bug #806809) [jessie] - libraw 0.16.0-9+deb8u2 [wheezy] - libraw (Vulnerable code not present) [squeeze] - libraw (Vulnerable code not present) - dcraw (Vulnerable code not present) - kodi (Vulnerable code not present) - darktable 2.0.0-1 [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) [squeeze] - darktable (Vulnerable code not present) - ufraw (Vulnerable code not present) - rawtherapee (Vulnerable code not present) - exactimage (Vulnerable code not present) - xbmc [jessie] - xbmc (Transitional dummy package) [wheezy] - xbmc (Vulnerable code not present) NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 NOTE: Introduced by: https://github.com/LibRaw/LibRaw/commit/7b1430c76a19c93f3cc755bb2ff9bda0ba9b4082 (0.15.0) CVE-2015-8366 (Array index error in smal_decode_segment function in LibRaw before 0.1 ...) - libraw 0.17.1-1 (bug #806809) [jessie] - libraw 0.16.0-9+deb8u2 [wheezy] - libraw (Vulnerable code not present) [squeeze] - libraw (Vulnerable code not present) - dcraw 9.28-1 (bug #864168) [stretch] - dcraw (Minor issue) [jessie] - dcraw (Minor issue) [wheezy] - dcraw (Vulnerable code not present) [squeeze] - dcraw (Vulnerable code not present) - kodi (Vulnerable code not present) - darktable 2.0.0-1 [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) [squeeze] - darktable (Vulnerable code not present) - ufraw 0.20-4 (bug #818882) [jessie] - ufraw (Minor issue) [wheezy] - ufraw (Vulnerable code not present) [squeeze] - ufraw (Vulnerable code not present) - rawtherapee 4.2.1241-2 [jessie] - rawtherapee 4.2-1+deb8u2 [wheezy] - rawtherapee (Vulnerable code not present) [squeeze] - rawtherapee (Vulnerable code not present) - exactimage 0.9.1-13 [jessie] - exactimage 0.8.9-7+deb8u2 [wheezy] - exactimage (Vulnerable code not present) [squeeze] - exactimage (Vulnerable code not present) NOTE: exactimage: smal_decode_segment inside dcraw.h not dcraw.c - xbmc [jessie] - xbmc (Transitional dummy package) [wheezy] - xbmc (Vulnerable code not present) NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 CVE-2015-8365 (The smka_decode_frame function in libavcodec/smacker.c in FFmpeg befor ...) {DSA-4012-1 DLA-1142-1} - ffmpeg 7:2.8.3-1 (bug #806519) [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=4a9af07a49295e014b059c1ab624c40345af5892 NOTE: fix for the libav 11.9 branch: https://git.libav.org/?p=libav.git;a=commit;h=v11.9-5-g88762a0 NOTE: fix for the libav 0.8 branch: https://git.libav.org/?p=libav.git;a=commit;h=9fba59f471725e5235d5378e795ebf8b59472817 CVE-2015-8364 (Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi. ...) {DLA-1611-1} - ffmpeg 7:2.8.3-1 (bug #806519) [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=df91aa034b82b77a3c4e01791f4a2b2ff6c82066 CVE-2015-8363 (The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in ...) {DLA-1611-1} - ffmpeg 7:2.8.3-1 (bug #806519) [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Vulnerable code not present) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=44a7f17d0b20e6f8d836b2957e3e357b639f19a2 CVE-2015-8362 (The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices b ...) NOT-FOR-US: Harman AMX CVE-2015-8361 (Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.1 ...) NOT-FOR-US: Atlassian CVE-2015-8360 (An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x be ...) NOT-FOR-US: Atlassian CVE-2015-8359 RESERVED CVE-2015-8358 (Directory traversal vulnerability in the bitrix.mpbuilder module befor ...) NOT-FOR-US: Bitrix CVE-2015-8357 (Directory traversal vulnerability in the bitrix.xscan module before 1. ...) NOT-FOR-US: Bitrix CVE-2015-8356 (Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 a ...) NOT-FOR-US: Bitrix CVE-2015-8355 (Multiple SQL injection vulnerabilities in the orion.extfeedbackform mo ...) NOT-FOR-US: Bitrix CVE-2015-8354 (Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPr ...) NOT-FOR-US: WordPress plugin ultimate-member CVE-2015-8353 (Cross-site scripting (XSS) vulnerability in the Role Scoper plugin bef ...) NOT-FOR-US: WordPress plugin role-scoper CVE-2015-8352 (Directory traversal vulnerability in Zen Cart 1.5.4 allows remote atta ...) NOT-FOR-US: Zen Cart CVE-2015-8351 (PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin ...) NOT-FOR-US: WordPress plugin gwolle-gb CVE-2015-8350 (Multiple cross-site scripting (XSS) vulnerabilities in the Calls to Ac ...) NOT-FOR-US: WordPress plugin cta CVE-2015-8349 (Cross-site scripting (XSS) vulnerability in SourceBans before 2.0 pre- ...) NOT-FOR-US: SourceBeans CVE-2015-8348 RESERVED CVE-2015-8347 RESERVED CVE-2015-8344 RESERVED CVE-2015-8343 RESERVED CVE-2015-8342 REJECTED CVE-2015-8341 (The libxl toolstack library in Xen 4.1.x through 4.6.x does not proper ...) {DSA-3519-1} - xen 4.8.0~rc3-1 (bug #823620) [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-160.html CVE-2015-8340 (The memory_exchange function in common/memory.c in Xen 3.2.x through 4 ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-159.html CVE-2015-8339 (The memory_exchange function in common/memory.c in Xen 3.2.x through 4 ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-159.html CVE-2015-8338 (Xen 4.6.x and earlier does not properly enforce limits on page order i ...) {DSA-3633-1} - xen 4.8.0~rc3-1 (bug #823620) [wheezy] - xen (Only affects Xen on arm) [squeeze] - xen (Only affects Xen on arm) NOTE: http://xenbits.xen.org/xsa/advisory-158.html CVE-2015-8374 (fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compresse ...) - linux 4.2.6-2 [jessie] - linux 3.16.7-ckt20-1+deb8u1 [wheezy] - linux 3.2.78-1 - linux-2.6 [squeeze] - linux-2.6 (btrfs in 2.6.32 is just a tech preview and not usable for production) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0305cd5f7fca85dae392b9ba85b116896eb7c1c7 (v4.4-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/11/27/2 NOTE: CVE assignment for the vulnerability with the impact of "User B now NOTE: gets to see the 1000 bytes that user A truncated from its file before NOTE: it made its file world readable" CVE-2015-8337 (The HIFI driver in Huawei P8 phones with software GRA-TL00 before GRA- ...) NOT-FOR-US: Huawei CVE-2015-8336 (Huawei FusionCompute with software before V100R005C10SPC700 allows rem ...) NOT-FOR-US: Huawei FusionCompute CVE-2015-8335 (Huawei VCN500 with software before V100R002C00SPC201 logs passwords in ...) NOT-FOR-US: Huawei CVE-2015-8334 (SQL injection vulnerability in the Operation and Maintenance Unit (OMU ...) NOT-FOR-US: Huawei CVE-2015-8333 (The Operation and Maintenance Unit (OMU) in Huawei VCN500 with softwar ...) NOT-FOR-US: Huawei CVE-2015-8332 (Huawei Video Content Management (VCM) before V100R001C10SPC001 does no ...) NOT-FOR-US: Huawei CVE-2015-8331 (The Operation and Maintenance Unit (OMU) in Huawei VCN500 with softwar ...) NOT-FOR-US: Huawei CVE-2015-8330 (The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers ...) NOT-FOR-US: SAP CVE-2015-8329 (SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII ...) NOT-FOR-US: SAP CVE-2015-8328 (Unspecified vulnerability in the NVAPI support layer in the NVIDIA GPU ...) - nvidia-graphics-drivers (Windows only) CVE-2015-8327 (Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-f ...) {DSA-3429-1 DSA-3411-1 DLA-365-1} - cups-filters 1.2.0-1 [wheezy] - cups-filters (Vulnerable code not present; introduced in 1.0.42) - foomatic-filters 4.0.17-7 (bug #806886) CVE-2015-8325 (The do_setup_env function in session.c in sshd in OpenSSH through 7.2p ...) {DSA-3550-1} - openssh 1:7.2p2-3 NOTE: Upstream fix: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 CVE-2015-XXXX [RCE in gitlab-shell 2.6.6-2.6.7] - gitlab-shell (Only affects version 2.6.6-2.6.7) NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/11/25/5 CVE-2015-8345 (The eepro100 emulator in QEMU qemu-kvm blank allows local guest users ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-1 (bug #806373) [jessie] - qemu (Minor issue, can be fixed along in a later DSA) [wheezy] - qemu (Minor issue, can be fixed along in a later DSA) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [jessie] - qemu-kvm (Minor issue, can be fixed along in a later DSA) [wheezy] - qemu-kvm (Minor issue, can be fixed along in a later DSA) [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html NOTE: https://www.openwall.com/lists/oss-security/2015/11/25/3 CVE-2015-8346 (app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before ...) {DSA-3529-1 DLA-351-1} - redmine 3.2.0-1 (bug #806376) [wheezy] - redmine (Redmine not supported because of rails) [squeeze] - redmine (Redmine not supported because of rails) NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_3_0 NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/21150 (private) NOTE: https://www.openwall.com/lists/oss-security/2015/11/25/1 NOTE: Commit: https://github.com/redmine/redmine/commit/945a091c94a9ed651f61e225fa8646479478e9d4 NOTE: Commit: https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c NOTE: For squeeze, the bug is in app/views/timelog/edit.rhtml NOTE: upstream fixed in 2.6.8, 3.0.6 and 3.1.2 CVE-2015-XXXX [Insecure permissions for backup directory] - dbconfig-common 1.8.58 (bug #805638) [jessie] - dbconfig-common 1.8.47+nmu3+deb8u1 [wheezy] - dbconfig-common 1.8.47+nmu1+deb7u1 [squeeze] - dbconfig-common 1.8.46+squeeze.1 NOTE: Workaround entry for DLA-390-1 (since no CVE for this issue) CVE-2015-8323 RESERVED CVE-2015-8322 (NetApp OnCommand System Manager 8.3.x before 8.3.2 allows remote authe ...) NOT-FOR-US: NetApp CVE-2015-8326 (The IPTables-Parse module before 1.6 for Perl allows local users to wr ...) - libiptables-parse-perl 1.6-1 [jessie] - libiptables-parse-perl 1.1-1+deb8u1 [wheezy] - libiptables-parse-perl 1.1-1+deb7u1 [squeeze] - libiptables-parse-perl (Minor issue) NOTE: https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87 NOTE: https://www.openwall.com/lists/oss-security/2015/11/24/6 CVE-2015-8381 (The compile_regex function in pcre_compile.c in PCRE before 8.38 and p ...) - pcre3 2:8.38-1 (bug #796762; bug #795539) [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: https://bugs.exim.org/show_bug.cgi?id=1672 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1594 NOTE: https://www.openwall.com/lists/oss-security/2015/08/24/1 NOTE: https://bugs.exim.org/show_bug.cgi?id=1667 NOTE: https://www.openwall.com/lists/oss-security/2015/08/05/3 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1585 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1250943 CVE-2015-8380 (The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a ...) - pcre3 2:8.38-1 (bug #806467) [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code not present) NOTE: For wheezy: same code looks present around patched lines, though the NOTE: reproducer does not lead to a crash, and just gives NOTE: "Matched, but too many substrings" [squeeze] - pcre3 (Vulnerable code not present) NOTE: Fixed in 8.38 upstream - pcre2 NOTE: Commit: http://vcs.pcre.org/pcre?view=revision&revision=1565 NOTE: https://bugs.exim.org/show_bug.cgi?id=1637 NOTE: https://blog.fuzzing-project.org/29-Heap-Overflow-in-PCRE.html CVE-2015-8321 RESERVED CVE-2015-8319 (Heap-based buffer overflow in the HIFI driver in Huawei P8 smartphones ...) NOT-FOR-US: Huawei CVE-2015-8318 (Heap-based buffer overflow in the HIFI driver in Huawei P8 smartphones ...) NOT-FOR-US: Huawei CVE-2015-8315 (The ms package before 0.7.1 for Node.js allows attackers to cause a de ...) - node-ms (Fixed before initial upload to Debian) CVE-2015-8314 RESERVED CVE-2015-8313 (GnuTLS incorrectly validates the first byte of padding in CBC modes ...) {DSA-3408-1 DLA-364-1} - gnutls28 (Vulnerable code not present) - gnutls26 NOTE: https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html CVE-2015-8312 (Off-by-one error in afs_pioctl.c in OpenAFS before 1.6.16 might allow ...) {DSA-3569-1 DLA-493-1} - openafs 1.6.17-1 NOTE: http://git.openafs.org/?p=openafs.git;a=commitdiff;h=2ef863720da4d9f368aaca0461c672a3008195ca NOTE: http://rt.central.org/rt/Ticket/Display.html?id=132256 CVE-2015-8311 RESERVED CVE-2015-8310 (Cross-site scripting (XSS) vulnerability in Cherry Music before 0.36.0 ...) NOT-FOR-US: Cherry Music CVE-2015-8309 (Directory traversal vulnerability in Cherry Music before 0.36.0 allows ...) NOT-FOR-US: Cherry Music CVE-2015-8307 (The Graphics driver in Huawei P8 smartphones with software GRA-TL00 be ...) NOT-FOR-US: Huawei CVE-2015-8306 (Buffer overflow in the HIFI driver in Huawei P8 phones with software G ...) NOT-FOR-US: Huawei CVE-2015-8305 (Huawei Sophia-L10 smartphones with software before P7-L10C900B852 allo ...) NOT-FOR-US: Huawei CVE-2015-8304 (Integer overflow in Huawei P7 phones with software before P7-L07 V100R ...) NOT-FOR-US: Huawei CVE-2015-8303 (Huawei Document Security Management (DSM) with software before V100R00 ...) NOT-FOR-US: Huawei CVE-2015-8302 RESERVED CVE-2015-8301 RESERVED CVE-2015-8324 (The ext4 implementation in the Linux kernel before 2.6.34 does not pro ...) {DLA-360-1} - linux 2.6.37-1 - linux-2.6 NOTE: https://www.openwall.com/lists/oss-security/2015/11/23/2 NOTE: https://bugs.openvz.org/browse/OVZ-6541 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1267261 NOTE: Commit fixing the issue: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=744692dc059845b2a3022119871846e74d4f6e11 (v2.6.34-rc1) CVE-2015-8320 (Apache Cordova-Android before 3.7.0 improperly generates random values ...) NOT-FOR-US: Apache Cordova CVE-2015-8316 (Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16. ...) - lightdm 1.16.6-1 [jessie] - lightdm (Affects 1.14.x, 1.16.x and development 1.17.x) [wheezy] - lightdm (Affects 1.14.x, 1.16.x and development 1.17.x) NOTE: https://www.openwall.com/lists/oss-security/2015/11/21/2 NOTE: https://bugs.launchpad.net/lightdm/+bug/15168 NOTE: https://bazaar.launchpad.net/~lightdm-team/lightdm/1.14/revision/2166 (1.14.x) NOTE: https://bazaar.launchpad.net/~lightdm-team/lightdm/1.16/revision/2207 (1.16.x) CVE-2015-8300 (Polycom BToE Connector before 3.0.0 uses weak permissions (Everyone: F ...) NOT-FOR-US: Polycom BToE Connector CVE-2015-8299 (Buffer overflow in the Group messages monitor (Falcon) in KNX ETS 4.1. ...) NOT-FOR-US: Falcon CVE-2015-8298 (Multiple SQL injection vulnerabilities in the login page in RXTEC RXAd ...) NOT-FOR-US: RXTEC CVE-2015-8297 REJECTED CVE-2015-8296 REJECTED CVE-2015-8295 REJECTED CVE-2015-8294 REJECTED CVE-2015-8293 REJECTED CVE-2015-8292 REJECTED CVE-2015-8291 REJECTED CVE-2015-8290 REJECTED CVE-2015-8289 (The password-recovery feature on NETGEAR D3600 devices with firmware 1 ...) NOT-FOR-US: Netgear routers CVE-2015-8288 (NETGEAR D3600 devices with firmware 1.0.0.49 and D6000 devices with fi ...) NOT-FOR-US: Netgear routers CVE-2015-8287 (Swann SRNVW-470LCD devices with firmware through 0114 and SWNVW-470CAM ...) NOT-FOR-US: Swann CVE-2015-8286 (Zhuhai RaySharp firmware has a hardcoded root password, which makes it ...) NOT-FOR-US: Zhuhai RaySharp CVE-2015-8285 (The webssx.sys driver in QuickHeal 16.00 allows remote attackers to ca ...) NOT-FOR-US: QuickHeal CVE-2015-8284 (SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to p ...) NOT-FOR-US: SeaWell Networks Spectrum CVE-2015-8283 (Directory traversal vulnerability in configure_manage.php in SeaWell N ...) NOT-FOR-US: SeaWell Networks Spectrum CVE-2015-8282 (SeaWell Networks Spectrum SDC 02.05.00 has a default password of "admi ...) NOT-FOR-US: SeaWell Networks Spectrum CVE-2015-8281 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows attackers to ...) NOT-FOR-US: Samsung CVE-2015-8280 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attack ...) NOT-FOR-US: Samsung CVE-2015-8279 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attack ...) NOT-FOR-US: Samsung CVE-2015-8278 RESERVED CVE-2015-8277 (Multiple buffer overflows in (1) lmgrd and (2) Vendor Daemon in Flexer ...) NOT-FOR-US: Flexera FlexNet Publisher CVE-2015-8276 (LVRTC eParakstitajs 3.0 (1.3.0) and edoc-libraries-2.5.4_01 allow atta ...) NOT-FOR-US: LVRTC eParakstitajs CVE-2015-8275 (LVRTC eParakstitajs 3.0 (1.3.0) and edoc-libraries-2.5.4_01 allow atta ...) NOT-FOR-US: LVRTC eParakstitajs CVE-2015-8274 RESERVED CVE-2015-8273 RESERVED CVE-2015-8272 (RTMPDump 2.4 allows remote attackers to trigger a denial of service (N ...) {DSA-3850-1 DLA-917-1} - rtmpdump 2.4+20151223.gitfa8646d.1-1 NOTE: http://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/4312322107a94c81d3ec5b98f91bc6b923551dc5 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0068/ NOTE: Correct Debian version would have been 2.4+20151223.gitfa8646d-1 but due NOTE: to missing upstream source import the fixes are really only present in NOTE: 2.4+20151223.gitfa8646d.1-1 CVE-2015-8271 (The AMF3CD_AddProp function in amf.c in RTMPDump 2.4 allows remote RTM ...) {DSA-3850-1 DLA-917-1} - rtmpdump 2.4+20151223.gitfa8646d.1-1 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0067/ NOTE: http://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/39ec7eda489717d503bc4cbfaa591c93205695b6 NOTE: http://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/530f9bb2a02a78c1198fb2bf0293a12d225e4691 NOTE: Correct Debian version would have been 2.4+20151223.gitfa8646d-1 but due NOTE: to missing upstream source import the fixes are really only present in NOTE: 2.4+20151223.gitfa8646d.1-1 CVE-2015-8270 (The AMF3ReadString function in amf.c in RTMPDump 2.4 allows remote RTM ...) {DSA-3850-1 DLA-917-1} - rtmpdump 2.4+20151223.gitfa8646d.1-1 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0066/ NOTE: http://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/10b580aabcec1621b25518271ba1ab2b018be88e NOTE: Correct Debian version would have been 2.4+20151223.gitfa8646d-1 but due NOTE: to missing upstream source import the fixes are really only present in NOTE: 2.4+20151223.gitfa8646d.1-1 CVE-2015-8269 (The API on Fisher-Price Smart Toy Bear devices allows remote attackers ...) NOT-FOR-US: Fisher-Price CVE-2015-8268 (The up.time agent in Idera Uptime Infrastructure Monitor 7.5 and 7.6 o ...) NOT-FOR-US: Idera Uptime Infrastructure Monitor CVE-2015-8267 (The PasswordReset.Controllers.ResetController.ChangePasswordIndex meth ...) NOT-FOR-US: Dovestones CVE-2015-8266 RESERVED CVE-2015-8265 (Huawei Mobile WiFi E5151 routers with software before E5151s-2TCPU-V20 ...) NOT-FOR-US: Huawei CVE-2015-8264 (Untrusted search path vulnerability in F-Secure Online Scanner allows ...) NOT-FOR-US: F-Secure Online Scanner CVE-2015-8263 (NETGEAR WNR1000v3 devices with firmware 1.0.2.68 use the same source p ...) NOT-FOR-US: NETGEAR CVE-2015-8262 (Buffalo WZR-600DHP2 devices with firmware 2.09, 2.13, and 2.16 use an ...) NOT-FOR-US: BUFFALO CVE-2015-8261 (The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold ...) NOT-FOR-US: Ipswitch CVE-2015-8260 RESERVED CVE-2015-8259 RESERVED CVE-2015-8258 (AXIS Communications products with firmware through 5.80.x allow remote ...) NOT-FOR-US: AXIS Communications CVE-2015-8257 (The devtools.sh script in AXIS network cameras allows remote authentic ...) NOT-FOR-US: Axis network cameras CVE-2015-8256 (Multiple cross-site scripting (XSS) vulnerabilities in Axis network ca ...) NOT-FOR-US: Axis network cameras CVE-2015-8255 (AXIS Communications products allow CSRF, as demonstrated by admin/pwdg ...) NOT-FOR-US: AXIS Communications CVE-2015-8254 (The Frontel protocol before 3 on RSI Video Technologies Videofied devi ...) NOT-FOR-US: Frontel CVE-2015-8253 (The Frontel protocol before 3 on RSI Video Technologies Videofied devi ...) NOT-FOR-US: Frontel CVE-2015-8252 (The Frontel protocol before 3 on RSI Video Technologies Videofied devi ...) NOT-FOR-US: Frontel CVE-2015-8251 (OpenStage 60 and OpenScape Desk Phone IP 55G SIP V3, OpenStage 15, 20E ...) NOT-FOR-US: OpenStage CVE-2015-8250 RESERVED CVE-2015-8249 (The FileUploadServlet class in ManageEngine Desktop Central 9 before b ...) NOT-FOR-US: ManageEngine Desktop Central CVE-2015-8248 REJECTED CVE-2015-8247 (Cross-site scripting (XSS) vulnerability in synnefoclient in Synnefo I ...) NOT-FOR-US: Synnefo CVE-2015-8246 RESERVED CVE-2015-8245 RESERVED CVE-2015-8244 RESERVED CVE-2015-XXXX [ZF2015-09: Potential Information Disclosure and Insufficient Entropy vulnerability in Zend/Captcha/Word] - zendframework 1.12.17+dfsg-1 [jessie] - zendframework 1.12.9+dfsg-2+deb8u5 [wheezy] - zendframework 1.11.13-1.1+deb7u5 [squeeze] - zendframework (Minor issue) NOTE: security hardening NOTE: http://framework.zend.com/security/advisory/ZF2015-09 NOTE: https://github.com/zendframework/zf1/commit/4a41392f89bf510a8ab801eacb117fe7ea25b575 CVE-2015-XXXX [Missing bounds checking and verification of data type causes segfault] - libmaxminddb 1.1.5-1 (bug #805657) NOTE: https://github.com/maxmind/libmaxminddb/commit/51255f113fe3c7b63ffe957636a7656a3ff9d1ff NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283919 CVE-2015-8308 (LXDM before 0.5.2 did not start X server with -auth, which allows loca ...) - lxdm 0.5.3-1 (bug #805659) NOTE: http://git.lxde.org/gitweb/?p=lxde/lxdm.git;a=commitdiff;h=e8f387089e241360bdc6955d3e479450722dcea3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1268900 NOTE: http://advisories.mageia.org/MGASA-2015-0411.html NOTE: https://www.openwall.com/lists/oss-security/2015/11/20/2 CVE-2015-8243 RESERVED CVE-2015-8240 (The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, A ...) NOT-FOR-US: F5 BIG-IP CVE-2015-8238 RESERVED CVE-2015-8237 RESERVED CVE-2015-8236 (Arista EOS before 4.11.12, 4.12 before 4.12.11, 4.13 before 4.13.14M, ...) NOT-FOR-US: Arista EOS CVE-2015-8235 (Directory traversal vulnerability in Spiffy before 5.4. ...) - chicken 4.10.0-1 [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) CVE-2015-8233 (Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x bef ...) NOT-FOR-US: Drupal theme CVE-2015-8232 (The UC Profile module 6.x-1.x before 6.x-1.3 for Drupal does not prope ...) NOT-FOR-US: Drupal theme CVE-2015-8231 (Huawei eSpace 7910 and 7950 IP phones with software before V200R002C00 ...) NOT-FOR-US: Huawei CVE-2015-8230 (Memory leak in Huawei eSpace 8950 IP phones with software before V200R ...) NOT-FOR-US: Huawei CVE-2015-8229 (Huawei eSpace U2980 unified gateway with software before V100R001C10 a ...) NOT-FOR-US: Huawai CVE-2015-8228 (Directory traversal vulnerability in the SFTP server in Huawei AR 120, ...) NOT-FOR-US: Huawai CVE-2015-8227 (The built-in web server in Huawei VP9660 multi-point control unit with ...) NOT-FOR-US: Huawai CVE-2015-8226 (The Joint Photographic Experts Group Processing Unit (JPU) driver in H ...) NOT-FOR-US: Huawei CVE-2015-8225 (The Joint Photographic Experts Group Processing Unit (JPU) driver in H ...) NOT-FOR-US: Huawei CVE-2015-8224 (Huawei P8 before GRA-CL00C92B210, before GRA-L09C432B200, before GRA-T ...) NOT-FOR-US: Huawei CVE-2015-8223 (Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B85, and P ...) NOT-FOR-US: Huawei CVE-2015-8222 (The lxd-unix.socket systemd unit file in the Ubuntu lxd package before ...) - lxd (bug #768073) CVE-2015-8221 (Integer overflow in Google Picasa before 3.9.140 Build 259 allows remo ...) NOT-FOR-US: Google Picasa CVE-2015-8220 (Stack-based buffer overflow in the URI handler in DWRCC.exe in SolarWi ...) NOT-FOR-US: SolarWinds remote control CVE-2015-8242 (The xmlSAX2TextNode function in SAX2.c in the push interface in the HT ...) - libxml2 2.9.3+dfsg1-1 (bug #805146) [jessie] - libxml2 (Vulnerable code introduced later) [wheezy] - libxml2 (Vulnerable code introduced later) [squeeze] - libxml2 (Vulnerable code introduced later) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756372 NOTE: Introduced by: https://git.gnome.org/browse/libxml2/commit/?id=826bc320206f70fccd2941a77d363e95e8076898 (v2.9.2-rc1) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=8fb4a770075628d6441fb17a1e435100e2f3b1a2 (v2.9.3) CVE-2015-8241 (The xmlNextChar function in libxml2 2.9.2 does not properly check the ...) {DSA-3430-1 DLA-355-1} - libxml2 2.9.3+dfsg1-1 (bug #806384) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756263 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe NOTE: Introduced/Uncovered by https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 (fix for CVE-2015-7941) NOTE: https://www.openwall.com/lists/oss-security/2015/11/17/5 CVE-2015-8239 (The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 all ...) - sudo 1.8.17p1-1 (bug #805563) [jessie] - sudo (Minor issue) [wheezy] - sudo (Command digests are only supported by version 1.8.7 or higher) [squeeze] - sudo (Command digests are only supported by version 1.8.7 or higher) NOTE: https://www.openwall.com/lists/oss-security/2015/11/10/2 CVE-2015-8234 (The image signature algorithm in OpenStack Glance 11.0.0 allows remote ...) - glance (unimportant) CVE-2015-8219 (The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2. ...) - ffmpeg 7:2.8.2-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav [jessie] - libav (Vulnerable code not present) [wheezy] - libav (Vulnerable code not present) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=43492ff3ab68a343c1264801baa1d5a02de10167 CVE-2015-8218 (The decode_uncompressed function in libavcodec/faxcompr.c in FFmpeg be ...) - ffmpeg 7:2.8.2-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav (Vulnerable feature not present) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=d4a731b84a08f0f3839eaaaf82e97d8d9c67da46 NOTE: Vulnerability affects G3{1, 2}D code extensions feature, which is not present NOTE: in libav 0.8 and 9. branches: https://lists.debian.org/debian-lts/2017/12/msg00011.html NOTE: 11.x features G3 support, but the vulnerable code was introduced later CVE-2015-8217 (The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in FFmpeg befor ...) {DLA-1611-1} - ffmpeg 7:2.8.2-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav [jessie] - libav (Contains a similar code block like the one referenced by the ffmpeg commit) [wheezy] - libav (Vulnerable code not present) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=93f30f825c08477fe8f76be00539e96014cc83c8 CVE-2015-8216 (The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg ...) {DLA-1611-1} - ffmpeg 7:2.8.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=d24888ef19ba38b787b11d1ee091a3d94920c76a NOTE: patch does not apply cleanly in jessie's libav, possibly needs some brainwork CVE-2015-8215 (net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 d ...) {DSA-3364-1 DLA-310-1} - linux 4.0.2-1 - linux-2.6 NOTE: Patch for the kernel to harden against invalid MTUs: http://article.gmane.org/gmane.linux.network/351269 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=77751427a1ff25b27d47a4c36b12c3c8667855ac (v4.0-rc3) CVE-2015-8214 (A vulnerability has been identified in SIMATIC NET CP 342-5 (incl. SIP ...) NOT-FOR-US: Siemens CVE-2015-8213 (The get_format function in utils/formats.py in Django before 1.7.x bef ...) {DSA-3404-1 DLA-349-1} - python-django 1.8.7-1 NOTE: https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4 (master) NOTE: https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172 (1.7.x) NOTE: https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/ CVE-2015-8212 (CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 throug ...) {DLA-490-1} - bozohttpd NOTE: FIX http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/httpd/bozohttpd.c.diff?r1=1.79&r2=1.80&only_with_tag=MAIN NOTE: http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2016-005.txt.asc NOTE: http://www.eterna.com.au/bozohttpd/CHANGES NOTE: http://www.eterna.com.au/bozohttpd/bozohttpd-20160415.tar.bz2 CVE-2015-8211 REJECTED CVE-2015-8210 REJECTED CVE-2015-8209 REJECTED CVE-2015-8208 REJECTED CVE-2015-8207 REJECTED CVE-2015-8206 REJECTED CVE-2015-8205 REJECTED CVE-2015-8204 REJECTED CVE-2015-8203 REJECTED CVE-2015-8202 REJECTED CVE-2015-8201 REJECTED CVE-2015-8200 REJECTED CVE-2015-8199 REJECTED CVE-2015-8198 REJECTED CVE-2015-8197 REJECTED CVE-2015-8196 REJECTED CVE-2015-8195 REJECTED CVE-2015-8194 REJECTED CVE-2015-8193 REJECTED CVE-2015-8192 REJECTED CVE-2015-8191 REJECTED CVE-2015-8190 REJECTED CVE-2015-8189 REJECTED CVE-2015-8188 REJECTED CVE-2015-8187 REJECTED CVE-2015-8186 REJECTED CVE-2015-8185 REJECTED CVE-2015-8184 REJECTED CVE-2015-8183 REJECTED CVE-2015-8182 REJECTED CVE-2015-8181 REJECTED CVE-2015-8180 REJECTED CVE-2015-8179 REJECTED CVE-2015-8178 REJECTED CVE-2015-8177 REJECTED CVE-2015-8175 RESERVED CVE-2015-8174 RESERVED CVE-2015-8173 RESERVED CVE-2015-8172 RESERVED CVE-2015-8171 RESERVED CVE-2015-8170 RESERVED CVE-2015-8169 RESERVED CVE-2015-8168 RESERVED CVE-2015-8167 RESERVED CVE-2015-8166 RESERVED CVE-2015-8165 RESERVED CVE-2015-8164 RESERVED CVE-2015-8163 RESERVED CVE-2015-8162 RESERVED CVE-2015-8161 RESERVED CVE-2015-8160 RESERVED CVE-2015-8159 RESERVED CVE-2015-8158 (The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4. ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2948 CVE-2015-8157 (SQL injection vulnerability in the Management Server in Symantec Embed ...) NOT-FOR-US: Symantec CVE-2015-8156 (Unquoted Windows search path vulnerability in EEDService in Symantec E ...) NOT-FOR-US: Symantec CVE-2015-8155 REJECTED CVE-2015-8154 (The SysPlant.sys driver in the Application and Device Control (ADC) co ...) NOT-FOR-US: Symantec CVE-2015-8153 (SQL injection vulnerability in Symantec Endpoint Protection Manager (S ...) NOT-FOR-US: Symantec CVE-2015-8152 (Cross-site request forgery (CSRF) vulnerability in Symantec Endpoint P ...) NOT-FOR-US: Symantec CVE-2015-8151 (Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows ...) NOT-FOR-US: Symantec CVE-2015-8150 (Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows ...) NOT-FOR-US: Symantec CVE-2015-8149 (The LDAP service in Symantec Encryption Management Server (SEMS) 3.3.2 ...) NOT-FOR-US: Symantec CVE-2015-8148 (The LDAP service in Symantec Encryption Management Server (SEMS) 3.3.2 ...) NOT-FOR-US: Symantec CVE-2015-8145 RESERVED CVE-2015-8144 RESERVED CVE-2015-8143 RESERVED CVE-2015-8142 RESERVED CVE-2015-8141 RESERVED CVE-2015-8140 (The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to con ...) - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue, no code fix by upstream and mitigation exists) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2947 NOTE: Mitigated in 4.2.8p6 CVE-2015-8139 (ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin ti ...) - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue, no code fix by upstream and mitigation exists) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2946 NOTE: Mitigated in 4.2.8p6 CVE-2015-8138 (NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0077/ NOTE: https://github.com/ntp-project/ntp/commit/880191b72409a1965712999d248d70e6f7163af8 NOTE: The upstream fix for this issue is reported to be incomplete: NOTE: http://bugs.ntp.org/show_bug.cgi?id=2945#c7 NOTE: http://lists.ntp.org/pipermail/hackers/2016-January/007406.html NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security CVE-2015-8137 RESERVED CVE-2015-8136 RESERVED CVE-2015-8135 REJECTED CVE-2015-8134 REJECTED CVE-2015-8133 REJECTED CVE-2015-8132 REJECTED CVE-2015-8131 (Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kiban ...) - kibana (bug #700337) CVE-2015-8130 RESERVED CVE-2015-8129 RESERVED CVE-2015-8128 RESERVED CVE-2015-8127 RESERVED CVE-2015-8317 (The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allow ...) {DSA-3430-1 DLA-355-1} - libxml2 2.9.2+zdfsg1-4 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=751631 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f26462a9d8333102e NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=751603 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=9aa37588ee78a06ca1379a9d9356eab16686099c CVE-2015-XXXX [Kernel: Unprivileged user can freeze journald] - linux (unimportant) - linux-2.6 (Vulnerable code not present) NOTE: https://github.com/systemd/systemd/issues/1822 NOTE: Issue in Linux related to unprivileged CLONE_NEWUSER affecting systemd, but we disable unprivileged use by default CVE-2015-8125 (Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7 ...) {DSA-3402-1} - symfony 2.7.7+dfsg-1 NOTE: http://symfony.com/blog/cve-2015-8125-potential-remote-timing-attack-vulnerability-in-security-remember-me-service NOTE: https://github.com/symfony/symfony/pull/16630 CVE-2015-8124 (Session fixation vulnerability in the "Remember Me" login feature in S ...) {DSA-3402-1} - symfony 2.7.7+dfsg-1 NOTE: http://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature NOTE: https://github.com/symfony/symfony/pull/16631 CVE-2015-8123 REJECTED CVE-2015-8122 REJECTED CVE-2015-8121 REJECTED CVE-2015-8120 REJECTED CVE-2015-8119 REJECTED CVE-2015-8118 REJECTED CVE-2015-8117 REJECTED CVE-2015-8116 REJECTED CVE-2015-8115 REJECTED CVE-2015-8114 REJECTED CVE-2015-8113 (Untrusted search path vulnerability in the client in Symantec Endpoint ...) NOT-FOR-US: Symantec CVE-2015-8112 RESERVED CVE-2015-8111 RESERVED CVE-2015-8110 (Lenovo System Update (formerly ThinkVantage System Update) before 5.07 ...) NOT-FOR-US: Lenovo CVE-2015-8109 (Lenovo System Update (formerly ThinkVantage System Update) before 5.07 ...) NOT-FOR-US: Lenovo CVE-2015-8108 (The management interface in LenovoEMC EZ Media & Backup (hm3), ix2 ...) NOT-FOR-US: LenovoEMC CVE-2015-8107 (Format string vulnerability in GNU a2ps 4.14 allows remote attackers t ...) - a2ps 1:4.14-1.2 [wheezy] - a2ps (Minor issue) [squeeze] - a2ps (Minor issue) CVE-2015-8106 (Format string vulnerability in the CmdKeywords function in funct1.c in ...) - latex2rtf 2.3.10-1 (unimportant; bug #805398) [wheezy] - latex2rtf (Vulnerable code introduced later) [squeeze] - latex2rtf (Vulnerable code introduced later) NOTE: keywords command support introduced in http://sourceforge.net/p/latex2rtf/code/1152 NOTE: http://sourceforge.net/p/latex2rtf/code/1152/tree//trunk/funct1.c?diff=50900fed34309d3c639c868f:1151 NOTE: latex2rtf compiled with -D_FORTIFY_SOURCE=2 NOTE: Rendered non-exploitable by toolchain hardening CVE-2015-8472 (Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, ...) {DSA-3443-1 DLA-410-1 DLA-375-1} - libpng (bug #807112) - libpng1.6 1.6.20-1 (bug #807112) NOTE: Fixed in 1.6.20, 1.5.25, 1.4.18, 1.2.55, and 1.0.65 NOTE: https://github.com/glennrp/libpng/commit/7e1ca9ceba4e64259863efdd98bab9b55bdc0b9c NOTE: https://github.com/glennrp/libpng/commit/4488a96126bbefda51d07835411d8e847a88b2b7 NOTE: https://github.com/glennrp/libpng/commit/ad224c6907e8a274f2679eae4c2e3085fdc7e8c8 CVE-2015-8126 (Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE ...) {DSA-3507-1 DSA-3399-1 DLA-410-1 DLA-343-1} - libpng 1.2.54-1 (bug #805113) NOTE: https://www.openwall.com/lists/oss-security/2015/11/12/2 NOTE: Fixed in 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64 NOTE: The original patch was incomplete, cf. NOTE: https://www.openwall.com/lists/oss-security/2015/12/03/6 NOTE: and fixed in new upstream versions 1.6.20, 1.5.25, NOTE: 1.4.18, 1.2.55, and 1.0.65 - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8105 (Cross-site scripting (XSS) vulnerability in program/js/app.js in Round ...) - roundcube 1.1.3+dfsg.1-1 [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: https://github.com/roundcube/roundcubemail/issues/4900 NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/dd7db217979d6960f53b6544cf053d8c0db8c416 CVE-2015-XXXX [directory traversal in servefile] - servefile 0.4.4-1 [jessie] - servefile (Minor issue) [wheezy] - servefile (Minor issue) NOTE: https://github.com/sebageek/servefile/commit/cd7eee21be3602ab6118a23eec8e2628d1a6488c CVE-2015-8102 RESERVED CVE-2015-8101 RESERVED CVE-2015-8099 (F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.3 ...) NOT-FOR-US: F5 BIG-IP CVE-2015-8098 (F5 BIG-IP APM 11.4.1 before 11.4.1 HF9, 11.5.x before 11.5.3, and 11.6 ...) NOT-FOR-US: BIG-IP CVE-2015-8097 RESERVED CVE-2015-8096 (Integer overflow in Google Picasa 3.9.140 Build 239 and Build 248 allo ...) NOT-FOR-US: Google Picasa CVE-2015-8095 (The recycle bin feature in the Monster Menus module 7.x-1.21 before 7. ...) NOT-FOR-US: Monster Menus module for Drupal CVE-2015-8094 (Open redirect vulnerability in Cloudera HUE before 3.10.0 allows remot ...) NOT-FOR-US: Cloudera HUE CVE-2015-8093 RESERVED CVE-2015-8092 RESERVED CVE-2015-8091 REJECTED CVE-2015-8090 (The Web Server component in TIBCO LogLogic Unity before 1.1.1 allows r ...) NOT-FOR-US: TIBCO CVE-2015-8104 (The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x thr ...) {DSA-3454-1 DSA-3426-1 DSA-3414-1 DLA-479-1} - linux 4.2.6-2 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-156.html NOTE: Upstream patch: https://lkml.org/lkml/2015/11/10/218 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cbdb967af3d54993f5814f1cee0ed311a055377d - virtualbox 5.0.10-dfsg-1 [wheezy] - virtualbox (DSA 3454) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixOVIR CVE-2015-8100 (The net-snmp package in OpenBSD through 5.8 uses 0644 permissions for ...) - net-snmp (Specific to packaging in OpenBSD) CVE-2015-8089 (The GPU driver in Huawei P7 phones with software P7-L00 before P7-L00C ...) NOT-FOR-US: Huawei CVE-2015-8088 (Heap-based buffer overflow in the HIFI driver in Huawei Mate 7 phones ...) NOT-FOR-US: Huawei CVE-2015-8087 (Huawei NE20E-S, NE40E-M, and NE40E-M2 routers with software before V80 ...) NOT-FOR-US: Huawei CVE-2015-8086 (Huawei AR routers with software before V200R007C00SPC100; Quidway S930 ...) NOT-FOR-US: Huawei CVE-2015-8085 (Huawei AR routers with software before V200R007C00SPC100; Quidway S930 ...) NOT-FOR-US: Huawei CVE-2015-8084 (Huawei USG5500, USG2100, USG2200, and USG5100 unified security gateway ...) NOT-FOR-US: Huawei CVE-2015-8083 (An unspecified module in Huawei eSpace U1910, U1911, U1930, U1960, U19 ...) NOT-FOR-US: Huawei CVE-2015-8082 (The Login Disable module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x ...) NOT-FOR-US: Login Disable module for Drupal CVE-2015-8081 (The Field as Block module 7.x-1.x before 7.x-1.4 for Drupal might allo ...) NOT-FOR-US: Field as Block module for Drupal CVE-2015-8103 (The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625 ...) - jenkins (bug #804522) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-7501 (Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data G ...) - libcommons-collections3-java 3.2.2-1 (unimportant) [jessie] - libcommons-collections3-java 3.2.1-7+deb8u1 [wheezy] - libcommons-collections3-java 3.2.1-5+deb7u1 [squeeze] - libcommons-collections3-java 3.2.1-4+deb6u1 NOTE: workaround entry to associate the squeeze-lts, wheezy- and jessie-security fixes with the NOTE: corresponding entry with unstable and the hardening change. - libcommons-collections4-java (unimportant) NOTE: severity unimportant since this is a hardening change, actual vulnerability relies in specific NOTE: https://issues.apache.org/jira/browse/COLLECTIONS-580 NOTE: No CVE is expected to be assigned, cf https://www.openwall.com/lists/oss-security/2015/11/17/19 NOTE: Patches for 3.2.x: NOTE: https://github.com/apache/commons-collections/commit/1642b00d67b96de87cad44223efb9ab5b4fb7be5 NOTE: https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee NOTE: https://github.com/apache/commons-collections/commit/bce4d022f27a723fa0e0b7484dcbf0afa2dd210a NOTE: https://github.com/apache/commons-collections/commit/d9a00134f16d685bea11b2b12de824845e6473e3 NOTE: Patches for 4.x: NOTE: https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611 NOTE: https://github.com/apache/commons-collections/commit/da1a5fe00d79e1840b7e52317933e9eb56e88246 NOTE: https://github.com/apache/commons-collections/commit/3eee44cf63b1ebb0da6925e98b3dcc6ef1e4d610 NOTE: https://github.com/apache/commons-collections/commit/78d47d4d098ab814a7a00a0b1c81646b27f050cf NOTE: https://github.com/apache/commons-collections/commit/b2b8f4adc557e4ef1ee2fe5e0ab46866c06ec55b CVE-2015-8079 (qt5-qtwebkit before 5.4 records private browsing URLs to its favicon d ...) - qtwebkit (unimportant) NOTE: qtwebkit not covered by security support CVE-2015-8080 (Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x ...) {DSA-3412-1} - redis 2:3.0.5-4 (bug #804419) [wheezy] - redis (Vulnerable code not present) [squeeze] - redis (Vulnerable code not present) NOTE: https://github.com/antirez/redis/issues/2855 CVE-2015-8078 (Integer overflow in the index_urlfetch function in imap/index.c in Cyr ...) - cyrus-imapd-2.4 2.4.18-4 (bug #804182) [jessie] - cyrus-imapd-2.4 (Incomplete patch for CVE-2015-8076 not applied) [wheezy] - cyrus-imapd-2.4 (Incomplete patch for CVE-2015-8076 not applied) NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2 CVE-2015-8077 (Integer overflow in the index_urlfetch function in imap/index.c in Cyr ...) - cyrus-imapd-2.4 2.4.18-4 (bug #804182) [jessie] - cyrus-imapd-2.4 (Incomplete patch for CVE-2015-8076 not applied) [wheezy] - cyrus-imapd-2.4 (Incomplete patch for CVE-2015-8076 not applied) NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=745e161c834f1eb6d62fc14477f51dae799e1e08 CVE-2015-8074 (mediaserver in Android before 5.1.1 LMY48X allows remote attackers to ...) NOT-FOR-US: Android CVE-2015-8073 (mediaserver in Android 4.4 and 5.1 before 5.1.1 LMY48X allows remote a ...) NOT-FOR-US: Android CVE-2015-8072 (mediaserver in Android 4.4 through 5.x before 5.1.1 LMY48X and 6.0 bef ...) NOT-FOR-US: Android CVE-2015-8071 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8070 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8069 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8068 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8067 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8066 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8065 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8064 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8063 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8062 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8061 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8060 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8059 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8058 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8057 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8056 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8055 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8054 REJECTED CVE-2015-8053 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before ...) NOT-FOR-US: Adobe ColdFusion CVE-2015-8052 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before ...) NOT-FOR-US: Adobe ColdFusion CVE-2015-8051 (The Adobe Premiere Clip app before 1.2.1 for iOS mishandles unspecifie ...) NOT-FOR-US: Adobe Pemiere Clip CVE-2015-8050 (Use-after-free vulnerability in the MovieClip object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8049 (Use-after-free vulnerability in the TextField object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8048 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8047 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8046 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8045 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8044 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8043 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8042 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8040 (The rtsp_getdlsendtime method in the CNC_Ctrl control in Samsung Smart ...) NOT-FOR-US: Samsung SmartViewer CVE-2015-8039 (Samsung SmartViewer allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Samsung SmartViewer CVE-2015-8038 (Multiple cross-site scripting (XSS) vulnerabilities in the Graphical U ...) NOT-FOR-US: Fortinet CVE-2015-8037 (Multiple cross-site scripting (XSS) vulnerabilities in the Graphical U ...) NOT-FOR-US: Fortinet CVE-2015-8036 (Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x b ...) {DSA-3468-1} - mbedtls (Fixed before the initial release to Debian) [experimental] - polarssl 1.3.14-0.1 - polarssl [wheezy] - polarssl (Vulnerable code introduced later) [squeeze] - polarssl (Vulnerable code introduced later) NOTE: support for session tickets added in 1.3.0. NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01 CVE-2015-8034 (The state.sls function in Salt before 2015.8.3 uses weak permissions o ...) - salt 2015.8.3+ds-1 (bug #807356) [jessie] - salt (Minor issue) NOTE: For jessie: /var/cache/salt/minion is created with restricted permissions on NOTE: first start of salt-minion in verify_env mitigating the issue, cf. NOTE: https://sources.debian.org/src/salt/2014.1.13%2Bds-3/salt/utils/verify.py/#L207 NOTE: https://github.com/cachedout/salt/commit/097838ec0c52b1e96f7f761e5fb3cd7e79808741 NOTE: https://github.com/saltstack/salt/issues/28455 CVE-2015-8075 REJECTED CVE-2015-8033 (In Textpattern 4.5.7, the password-reset feature does not securely tet ...) NOT-FOR-US: Textpattern CVE-2015-8032 (In Textpattern 4.5.7, an unprivileged author can change an article's m ...) NOT-FOR-US: Textpattern CVE-2015-8035 (The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly d ...) {DSA-3430-1} - libxml2 2.9.3+dfsg1-1 (bug #803942) [squeeze] - libxml2 (No LZMA/XZ support in version 2.7.8) NOTE: Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 (v2.9.3) NOTE: You can use "xmllint --version" to verify if libxml2 is compiled with "Lzma" support. NOTE: sid's 2.9.2+zdfsg1-4 claims to have "Lzma" support but it's broken in fact... NOTE: so it barfs on the problematic file (parser error : Start tag expected, NOTE: '<' not found) even though it does not have the fix yet. The next upstream NOTE: release will fix this issue and will restore XZ support. NOTE: https://www.openwall.com/lists/oss-security/2015/11/02/2 CVE-2015-7984 (Multiple cross-site request forgery (CSRF) vulnerabilities in Horde be ...) {DSA-3391-1} - php-horde 5.2.8+debian0-1 (bug #803641) NOTE: https://www.htbridge.com/advisory/HTB23272 NOTE: https://github.com/horde/horde/commit/a199d74932c902844514b2a83d21e7e221257dae NOTE: http://lists.horde.org/archives/dev/Week-of-Mon-20141201/028821.html CVE-2015-8031 RESERVED CVE-2015-8030 (SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execu ...) NOT-FOR-US: SAP CVE-2015-8029 (SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execu ...) NOT-FOR-US: SAP CVE-2015-8028 (Multiple buffer overflows in SAP 3D Visual Enterprise Viewer (VEV) all ...) NOT-FOR-US: SAP CVE-2015-8027 (Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 d ...) - nodejs 4.2.3~dfsg-1 (bug #806385) [jessie] - nodejs (0.10 series not affected) NOTE: https://nodejs.org/en/blog/vulnerability/cve-2015-8027_cve-2015-6764/ CVE-2015-8024 (McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/ ...) NOT-FOR-US: McAfee CVE-2015-8023 (The server implementation of the EAP-MSCHAPv2 protocol in the eap-msch ...) {DSA-3398-1 DLA-345-1} - strongswan 5.3.3-3 NOTE: https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2015-8023%29.html CVE-2015-8022 (The Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, ...) NOT-FOR-US: F5 BIG-IP CVE-2015-8021 (Incomplete blacklist vulnerability in the Configuration utility in F5 ...) NOT-FOR-US: F5 BIG-IP CVE-2015-8020 (Clustered Data ONTAP versions 8.0, 8.3.1, and 8.3.2 contain a default ...) NOT-FOR-US: Clustered Data ONTAP CVE-2015-8018 RESERVED CVE-2015-8017 RESERVED CVE-2015-8016 RESERVED CVE-2015-8015 RESERVED CVE-2015-8014 RESERVED CVE-2015-8009 (The MWOAuthDataStore::lookup_token function in Extension:OAuth for Med ...) NOT-FOR-US: Mediawiki extension OAuth CVE-2015-8008 (The OAuth extension for MediaWiki improperly negotiates a new client t ...) NOT-FOR-US: Mediawiki extension OAuth CVE-2015-8007 (The Echo extension for MediWiki does not properly implement the hideus ...) NOT-FOR-US: Mediawiki extension Echo CVE-2015-8006 (Cross-site scripting (XSS) vulnerability in the PageTriage toolbar in ...) NOT-FOR-US: Mediawiki extension PageTriage CVE-2015-XXXX [iptables-persistent minor local info leak] - iptables-persistent 1.0.4 (low; bug #764645) [jessie] - iptables-persistent 1.0.3+deb8u1 [wheezy] - iptables-persistent 0.5.7+deb7u1 [squeeze] - iptables-persistent (Minor issue) NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2016/01/05/5 CVE-2015-XXXX - cinnamon-settings-daemon 2.8.3-1 (low) [jessie] - cinnamon-settings-daemon 2.2.4.repack-7+deb8u1 NOTE: https://github.com/linuxmint/cinnamon-settings-daemon/commit/ac5e0be8c1817616dbdb056b6881cfc4660f57a8 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/10/28/3 CVE-2015-8025 (driver/subprocs.c in XScreenSaver before 5.34 does not properly perfor ...) {DSA-3438-1 DLA-338-1} - xscreensaver 5.34-1 (bug #802914) NOTE: http://pkgs.fedoraproject.org/cgit/xscreensaver.git/plain/xscreensaver-5.33-0002-Modify-sigchld_hander-in_signal_hander_p-mechanism.patch?id=b57f59f3482fedf70ce7a3541094e2512290139f NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1274452 CVE-2015-8005 (MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25 ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T108616 CVE-2015-8004 (MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25 ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T95589 CVE-2015-8003 (MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25 ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T91850 CVE-2015-8002 (The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T91205 CVE-2015-8001 (The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T91203 CVE-2015-8000 (db.c in named in ISC BIND 9.x before 9.9.8-P2 and 9.10.x before 9.10.3 ...) {DSA-3420-1 DLA-370-1} - bind9 1:9.9.5.dfsg-12.1 (bug #808081) NOTE: https://kb.isc.org/article/AA-01317 CVE-2015-7999 (Multiple SQL injection vulnerabilities in the Administration Web UI se ...) NOT-FOR-US: Citrix CVE-2015-7998 (The administration UI in Citrix NetScaler Application Delivery Control ...) NOT-FOR-US: Citrix CVE-2015-7997 (Multiple cross-site scripting (XSS) vulnerabilities in the Nitro API i ...) NOT-FOR-US: Citrix CVE-2015-7996 (The Nitro API in Citrix NetScaler Application Delivery Controller (ADC ...) NOT-FOR-US: Citrix CVE-2015-7994 (The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allo ...) NOT-FOR-US: SAP HANA CVE-2015-7993 (The Extended Application Services (aka XS or XS Engine) in SAP HANA DB ...) NOT-FOR-US: SAP HANA CVE-2015-7992 (SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticat ...) NOT-FOR-US: SAP HANA CVE-2015-7991 (The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_ ...) NOT-FOR-US: SAP HANA CVE-2015-7988 (The handle_regservice_request function in mDNSResponder before 625.41. ...) NOT-FOR-US: mDNSResponder CVE-2015-7987 (Multiple buffer overflows in mDNSResponder before 625.41.2 allow remot ...) NOT-FOR-US: mDNSResponder CVE-2015-7986 (The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote a ...) NOT-FOR-US: SAP CVE-2015-7985 (Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) f ...) - steam (specific to the steam installor on windows) CVE-2015-8019 (The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c i ...) - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2015/10/27/11 NOTE: Only for all stable kernels before v3.19 which have backported commit NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=89c22d8c3b278212eef6a8cc66b570bc840a6f5a NOTE: but are lacking the ioviter conversion. CVE-2015-7983 RESERVED CVE-2015-7982 RESERVED CVE-2015-7980 (Cross-site scripting (XSS) vulnerability in the Compass Rose module 6. ...) NOT-FOR-US: Drupal addon Compass Rose CVE-2015-7990 (Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the ...) {DSA-3396-1 DLA-360-1} - linux 4.2.6-1 - linux-2.6 NOTE: https://lkml.org/lkml/2015/10/16/530 NOTE: https://www.openwall.com/lists/oss-security/2015/10/27/5 CVE-2015-7979 (NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2942 NOTE: https://github.com/ntp-project/ntp/commit/fe46889f7baa75fc8e6c0fcde87706d396ce1461 CVE-2015-7978 (NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers t ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2940 NOTE: https://github.com/ntp-project/ntp/commit/8a0c765f3c47633fa262356b0818788d1cf249b1 CVE-2015-7977 (ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attac ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2939 NOTE: https://github.com/ntp-project/ntp/commit/8a0c765f3c47633fa262356b0818788d1cf249b1 CVE-2015-7976 (The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4 ...) - ntp 1:4.2.8p7+dfsg-1 (low) [jessie] - ntp (Minor issue, mitigation exists) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2938 NOTE: https://github.com/ntp-project/ntp/commit/3680c2e4d5f88905ce062c7b43305d610a2c9796 NOTE: https://github.com/ntp-project/ntp/commit/7fe04606062ed674db3b9553d32dedad29504d61 CVE-2015-7975 (The nextvar function in NTP before 4.2.8p6 and 4.3.x before 4.3.90 doe ...) - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Introduced in 4.2.8) [wheezy] - ntp (Introduced in 4.2.8) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2937 CVE-2015-7974 (NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer asso ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 (low) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2936 CVE-2015-7973 (NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadca ...) - ntp 1:4.2.8p7+dfsg-1 (low) [jessie] - ntp (Minor issue, can be fixed along in a future update) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2935 CVE-2015-7972 (The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2 ...) {DSA-3414-1 DLA-479-1} - xen 4.6.0-1 [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-153.html CVE-2015-7971 (Xen 3.2.x through 4.6.x does not limit the number of printk console me ...) {DSA-3414-1 DLA-479-1} - xen 4.6.0-1 [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-152.html CVE-2015-7970 (The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3 ...) {DSA-3414-1 DLA-479-1} - xen 4.6.0-1 [wheezy] - xen (Minor issue, too intrusive to backport) [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-150.html CVE-2015-7969 (Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest admin ...) {DSA-3414-1 DLA-479-1} - xen 4.6.0-1 [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-149.html NOTE: http://xenbits.xen.org/xsa/advisory-151.html CVE-2015-7968 (nwbc_ext2int in SAP NetWeaver Application Server before Security Note ...) NOT-FOR-US: SAP CVE-2015-7967 (SafeNet Authentication Service for Citrix Web Interface Agent uses a w ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7966 (SafeNet Authentication Service Windows Logon Agent uses a weak ACL for ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7965 (SafeNet Authentication Service Windows Logon Agent uses a weak ACL for ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7964 (SafeNet Authentication Service for NPS Agent uses a weak ACL for unspe ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7963 (SafeNet Authentication Service for AD FS Agent uses a weak ACL for uns ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7962 (SafeNet Authentication Service for Outlook Web App Agent uses a weak A ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7961 (SafeNet Authentication Service Remote Web Workplace Agent uses a weak ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7960 REJECTED CVE-2015-7959 REJECTED CVE-2015-7958 REJECTED CVE-2015-7957 REJECTED CVE-2015-7956 REJECTED CVE-2015-7955 REJECTED CVE-2015-7954 REJECTED CVE-2015-7953 REJECTED CVE-2015-7952 REJECTED CVE-2015-7951 REJECTED CVE-2015-7950 REJECTED CVE-2015-7949 REJECTED CVE-2015-7948 REJECTED CVE-2015-7947 REJECTED CVE-2015-7946 (Information Exposure vulnerability in Unity8 as used on the Ubuntu pho ...) NOT-FOR-US: Unity8 (predates Lomiri) CVE-2015-7945 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti befo ...) {DSA-3431-1} - ganeti 2.15.2-1 (bug #809538) [squeeze] - ganeti (Depends on KVM/Xen, unsupported in Squeeze LTS) NOTE: http://www.ocert.org/advisories/ocert-2015-012.html NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=09fb8fc73c5fe33756cc63036d121b3d6dfa3f64 NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=6e94ad76446904961744f9b0826414a5e4120693 NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=6d44be24c50944fc35de7a490bc836938a82e1df NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=6f9ba80f8312d5607da70841f698c49000a31126 CVE-2015-7944 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti befo ...) {DSA-3431-1} - ganeti 2.15.2-1 (bug #809537) [squeeze] - ganeti (Depends on KVM/Xen, unsupported in Squeeze LTS) NOTE: http://www.ocert.org/advisories/ocert-2015-012.html NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=201fcb916b8164c78f4ed8e0c9cfc0227a78684c CVE-2015-9261 (huft_build in archival/libarchive/decompress_gunzip.c in BusyBox befor ...) {DLA-2559-1 DLA-1445-1 DLA-337-1} - busybox 1:1.27.2-1 (bug #803097) NOTE: https://www.openwall.com/lists/oss-security/2015/10/25/3 NOTE: http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e NOTE: https://git.busybox.net/busybox/commit/archival/libarchive/decompress_gunzip.c?id=6bd3fff51aa74e2ee2d87887b12182a3b09792ef CVE-2015-7995 (The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does n ...) {DSA-3605-1 DLA-514-1} - libxslt 1.1.28-2.1 (bug #802971) [squeeze] - libxslt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1257962 NOTE: https://www.openwall.com/lists/oss-security/2015/10/27/10 NOTE: https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617 (v1.1.29-rc1) CVE-2015-8982 (Integer overflow in the strxfrm function in the GNU C Library (aka gli ...) - glibc 2.21-1 (bug #803927) [jessie] - glibc 2.19-18+deb8u2 - eglibc [wheezy] - eglibc 2.13-38+deb7u9 [squeeze] - eglibc 2.11.3-4+deb6u8 NOTE: workaround entry for DLA-350-1 until/if CVE assigned NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16009 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=0f9e585480ed NOTE: http://openwall.com/lists/oss-security/2015/09/08/2 CVE-2015-8026 (Heap-based buffer overflow in the verify_vbr_checksum function in exfa ...) - exfat-utils 1.2.1-1 [jessie] - exfat-utils 1.1.0-2+deb8u1 [wheezy] - exfat-utils 0.9.7-2+deb7u1 - fuse-exfat 1.2.1-1 [jessie] - fuse-exfat 1.1.0-2+deb8u1 [wheezy] - fuse-exfat 0.9.7-2+deb7u1 NOTE: https://github.com/relan/exfat/issues/5 NOTE: https://crashes.fuzzing-project.org/exfatfsck-heap-overflow-write-verify_vbr_checksum NOTE: https://github.com/relan/exfat/commit/2e86ae5f81da11f11673d0546efb525af02b7786 CVE-2015-XXXX [Endlees loop issue] - exfat-utils 1.2.1-1 [jessie] - exfat-utils 1.1.0-2+deb8u1 [wheezy] - exfat-utils 0.9.7-2+deb7u1 - fuse-exfat 1.2.1-1 [jessie] - fuse-exfat 1.1.0-2+deb8u1 [wheezy] - fuse-exfat 0.9.7-2+deb7u1 NOTE: https://github.com/relan/exfat/issues/6 NOTE: https://crashes.fuzzing-project.org/exfatfsck-endless-loop NOTE: https://github.com/relan/exfat/commit/35a1f77f9be2d8b21731f758baba4334935bf18b NOTE: will possibly not get a CVE, cf. https://www.openwall.com/lists/oss-security/2015/10/29/13 CVE-2015-8010 (Cross-site scripting (XSS) vulnerability in the Classic-UI with the CS ...) - icinga 1.13.3-3 (bug #803432) [jessie] - icinga (Minor issue) [wheezy] - icinga (Minor issue) [squeeze] - icinga (Vulnerable code not present) NOTE: Introduced by: https://dev.icinga.org/issues/593 in 1.3. NOTE: Upstream issue: https://dev.icinga.org/issues/10453 NOTE: Upstream fix: https://dev.icinga.org/projects/icinga-core/repository/revisions/5c816f5d9352c373e9dadb95b63612a96cf96dff NOTE: https://www.openwall.com/lists/oss-security/2015/10/23/15 CVE-2015-7981 (The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1. ...) {DSA-3399-1 DLA-343-1} - libpng 1.2.54-1 (bug #803078) NOTE: http://sourceforge.net/p/libpng/bugs/241/ NOTE: http://sourceforge.net/p/libpng/code/ci/fbf0f024346ca0a4ffc64b082a95c6b6bb6d29c4/ CVE-2015-7939 (Heap-based buffer overflow in Unitronics VisiLogic OPLC IDE before 9.8 ...) NOT-FOR-US: Unitronics CVE-2015-7938 (Advantech EKI-132x devices with firmware before 2015-12-31 allow remot ...) NOT-FOR-US: Advantech CVE-2015-7937 (Stack-based buffer overflow in the GoAhead Web Server on Schneider Ele ...) NOT-FOR-US: Schneider Electric CVE-2015-7936 (Cross-site request forgery (CSRF) vulnerability in Motorola Solutions ...) NOT-FOR-US: Motorola Solutions MOSCAD IP Gateway CVE-2015-7935 (Motorola Solutions MOSCAD IP Gateway allows remote attackers to read a ...) NOT-FOR-US: Motorola Solutions MOSCAD IP Gateway CVE-2015-7934 (The Java client in Adcon Telemetry A840 Telemetry Gateway Base Station ...) NOT-FOR-US: Adcon CVE-2015-7933 RESERVED CVE-2015-7932 (Adcon Telemetry A840 Telemetry Gateway Base Station allows remote atta ...) NOT-FOR-US: Adcon CVE-2015-7931 (The Java client in Adcon Telemetry A840 Telemetry Gateway Base Station ...) NOT-FOR-US: Adcon CVE-2015-7930 (Adcon Telemetry A840 Telemetry Gateway Base Station has hardcoded cred ...) NOT-FOR-US: Adcon CVE-2015-7929 (eWON devices with firmware through 10.1s0 support unspecified GET requ ...) NOT-FOR-US: eWON devices CVE-2015-7928 (eWON devices with firmware before 10.1s0 do not have an off autocomple ...) NOT-FOR-US: eWON devices CVE-2015-7927 (Cross-site scripting (XSS) vulnerability on eWON devices with firmware ...) NOT-FOR-US: eWON devices CVE-2015-7926 (eWON devices with firmware before 10.1s0 omit RBAC for I/O server info ...) NOT-FOR-US: eWON devices CVE-2015-7925 (Cross-site request forgery (CSRF) vulnerability on eWON devices with f ...) NOT-FOR-US: eWON devices CVE-2015-7924 (eWON devices with firmware before 10.1s0 do not trigger the discarding ...) NOT-FOR-US: eWON devices CVE-2015-7923 (Westermo WeOS before 4.19.0 uses the same SSL private key across diffe ...) NOT-FOR-US: Westermo CVE-2015-7922 REJECTED CVE-2015-7921 (The FTP server in Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV b ...) NOT-FOR-US: Pro-face GP-Pro EX EX-ED CVE-2015-7920 REJECTED CVE-2015-7919 (SearchBlox 8.3 before 8.3.1 allows remote attackers to write to the co ...) NOT-FOR-US: SearchBlox CVE-2015-7918 (Multiple buffer overflows in the F1BookView ActiveX control in F1 Book ...) NOT-FOR-US: F1BookView CVE-2015-7917 (Untrusted search path vulnerability in Open Automation OPC Systems.NET ...) NOT-FOR-US: Open Automation OPC Systems.NET CVE-2015-7916 (Cross-site scripting (XSS) vulnerability in Sauter EY-WS505F0x0 moduWe ...) NOT-FOR-US: Sauter CVE-2015-7915 (Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 sends cleartext creden ...) NOT-FOR-US: Sauter CVE-2015-7914 (Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote attacker ...) NOT-FOR-US: Sauter CVE-2015-7913 (ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGa ...) NOT-FOR-US: AggreGate CVE-2015-7912 (The Ice Faces servlet in ag_server_service.exe in the AggreGate Server ...) NOT-FOR-US: AggreGate CVE-2015-7911 (Saia Burgess PCD1.M0xx0, PCD1.M2xx0, PCD2.M5xx0, PCD3.Mxx60, PCD3.Mxxx ...) NOT-FOR-US: Saia Burgess devices CVE-2015-7910 (Exemys Telemetry Web Server relies on an HTTP Location header to indic ...) NOT-FOR-US: Exemys CVE-2015-7909 (Stack-based buffer overflow in Hospira Communication Engine (CE) befor ...) NOT-FOR-US: Hospira CVE-2015-7908 (Honeywell Midas gas detectors before 1.13b3 and Midas Black gas detect ...) NOT-FOR-US: Honeywell Midas gas detectors and Midas Black gas detectors CVE-2015-7907 (Directory traversal vulnerability in the web server on Honeywell Midas ...) NOT-FOR-US: Honeywell Midas gas detectors and Midas Black gas detectors CVE-2015-7906 (LOYTEC LIP-3ECTB 6.0.1, LINX-100, LVIS-3E100, and LIP-ME201 devices al ...) NOT-FOR-US: LOYTEC LIP-3ECTB 6.0.1, LINX-100, LVIS-3E100, and LIP-ME201 devices CVE-2015-7905 (Unitronics VisiLogic OPLC IDE before 9.8.02 allows remote attackers to ...) NOT-FOR-US: Unitronics CVE-2015-7904 (Unrestricted file upload vulnerability in Infinite Automation Mango Au ...) NOT-FOR-US: Mango Automation CVE-2015-7903 (SQL injection vulnerability in Infinite Automation Mango Automation 2. ...) NOT-FOR-US: Mango Automation CVE-2015-7902 (Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 buil ...) NOT-FOR-US: Mango Automation CVE-2015-7901 (Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 bui ...) NOT-FOR-US: Mango Automation CVE-2015-7900 (Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 buil ...) NOT-FOR-US: Mango Automation CVE-2015-7898 (Samsung Gallery in the Samsung Galaxy S6 allows local users to cause a ...) NOT-FOR-US: Samsung CVE-2015-7897 (The media scanning functionality in the face recognition library in an ...) NOT-FOR-US: Samsung CVE-2015-7896 (LibQJpeg in the Samsung Galaxy S6 before the October 2015 MR allows re ...) NOT-FOR-US: Samsung CVE-2015-7895 (Samsung Gallery on the Samsung Galaxy S6 allows local users to cause a ...) NOT-FOR-US: Samsung CVE-2015-7894 (The DCMProvider service in Samsung LibQjpeg on a Samsung SM-G925V devi ...) NOT-FOR-US: Samsung CVE-2015-7893 (SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email content, ...) NOT-FOR-US: Samsung CVE-2015-7892 (Stack-based buffer overflow in the m2m1shot_compat_ioctl32 function in ...) NOT-FOR-US: Samsung CVE-2015-7891 (Race condition in the ioctl implementation in the Samsung Graphics 2D ...) NOT-FOR-US: Samsung Graphics 2D driver on Samsung devices with Android CVE-2015-7890 (Multiple buffer overflows in the esa_write function in /dev/seirenin t ...) NOT-FOR-US: Samsung CVE-2015-7889 (The SecEmailComposer/EmailComposer application in the Samsung S6 Edge ...) NOT-FOR-US: Samsung CVE-2015-7888 (Directory traversal vulnerability in the WifiHs20UtilityService on the ...) NOT-FOR-US: WifiHs20UtilityService on Samsung S6 Edge LRX22G.G925VVRU1AOE2 CVE-2015-7887 (NetApp SnapCenter Server 1.0 allows remote authenticated users to list ...) NOT-FOR-US: NetApp SnapCenter Server CVE-2015-7886 (NetApp Data ONTAP before 8.2.4P1, when 7-Mode and HTTP access are enab ...) NOT-FOR-US: NetApp CVE-2015-7899 (The com_content component in Joomla! 3.x before 3.4.5 does not properl ...) NOT-FOR-US: Joomla! CVE-2015-7883 RESERVED CVE-2015-7882 (Improper handling of LDAP authentication in MongoDB Server versions 3. ...) - mongodb (Only affects Enterprise version) CVE-2015-7881 (The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote a ...) NOT-FOR-US: Colorbox module for Drupal CVE-2015-7880 (The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allow ...) NOT-FOR-US: Entity Registration module for Drupal CVE-2015-7879 (Cross-site scripting (XSS) vulnerability in the Stickynote module 7.x ...) NOT-FOR-US: Stickynote module for Drupal CVE-2015-7878 (Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6 ...) NOT-FOR-US: Taxonomy Find module for Drupal CVE-2015-7877 (Multiple SQL injection vulnerabilities in the User Dashboard module 7. ...) NOT-FOR-US: User Dashboard module for Drupal CVE-2015-7876 (The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver ...) NOT-FOR-US: Driver for SQL Server and SQL Azure module for Drupal CVE-2015-7875 (ctools 6.x-1.x before 6.x-1.14 and 7.x-1.x before 7.x-1.8 in Drupal do ...) NOT-FOR-US: Ctools module for Drupal CVE-2015-7874 (Buffer overflow in the chat server in KiTTY Portable 0.65.0.2p and ear ...) NOT-FOR-US: KiTTY Portable CVE-2015-7873 (The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 ...) {DSA-3382-1} - phpmyadmin 4:4.5.1-1 (low) [jessie] - phpmyadmin (Minor issue) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2015-7943 (Open redirect vulnerability in the Overlay module in Drupal 7.x before ...) {DLA-548-1} - drupal7 7.41-1 [jessie] - drupal7 7.32-1+deb8u9 NOTE: https://www.drupal.org/SA-CORE-2015-004 NOTE: https://www.openwall.com/lists/oss-security/2015/10/21/6 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=9f72251c9291b5613acb9ca4ea7a51b4739e3f93 CVE-2015-7885 (The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in th ...) - linux 4.4.2-1 (unimportant) NOTE: dgnc driver not built [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=4b6184336ebb5c8dc1eae7f7ab46ee608a748b05 CVE-2015-7884 (The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd. ...) - linux 4.2.6-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=eda98796aff0d9bf41094b06811f5def3b4c333c (v4.4-rc1) CVE-2015-7871 (Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x befo ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/aa44b5835d69d8ee031736bb8ee2730a514edb7d CVE-2015-7870 RESERVED CVE-2015-7869 (Multiple integer overflows in the kernel mode driver for the NVIDIA GP ...) - nvidia-graphics-drivers 352.63-1 (bug #805917) [jessie] - nvidia-graphics-drivers 340.96-1 [wheezy] - nvidia-graphics-drivers 304.131-1 [squeeze] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.96-1 (bug #805919) - nvidia-graphics-drivers-legacy-304xx 304.131-2 (bug #805918) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) CVE-2015-7868 RESERVED CVE-2015-7867 RESERVED CVE-2015-7866 (Unquoted Windows search path vulnerability in the Smart Maximize Helpe ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2015-7865 (nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GP ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2015-7864 RESERVED CVE-2015-7863 (The default configuration of Persistent Accelerite Radia Client Automa ...) NOT-FOR-US: Persistent Accelerite Radia CVE-2015-7862 (Persistent Accelerite Radia Client Automation (formerly HP Client Auto ...) NOT-FOR-US: Persistent Accelerite Radia CVE-2015-7861 (Persistent Accelerite Radia Client Automation (formerly HP Client Auto ...) NOT-FOR-US: Persistent Accelerite Radia CVE-2015-7860 (Stack-based buffer overflow in the agent in Persistent Accelerite Radi ...) NOT-FOR-US: Persistent Accelerite Radia CVE-2015-7859 (The com_contenthistory component in Joomla! 3.2 before 3.4.5 does not ...) NOT-FOR-US: Joomla! CVE-2015-7858 (SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote ...) NOT-FOR-US: Joomla! CVE-2015-7857 (SQL injection vulnerability in the getListQuery function in administra ...) NOT-FOR-US: Joomla! CVE-2015-7856 (OpenNMS has a default password of rtc for the rtc account, which makes ...) - opennms (bug #450615) CVE-2015-7855 (The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3 ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/ba716a464ecb20618560075f2e4e1051e5b6f24f CVE-2015-7854 (Buffer overflow in the password management functionality in NTP 4.2.x ...) - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Bug introduced in 4.2.7p262) [wheezy] - ntp (Bug introduced in 4.2.7p262) [squeeze] - ntp (Bug introduced in 4.2.7p262) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/1bb401576f412532d8cdcca5509b85ad29605913 CVE-2015-7853 (The datalen parameter in the refclock driver in NTP 4.2.x before 4.2.8 ...) - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Bug introduced in 4.2.8p1-beta3) [wheezy] - ntp (Bug introduced in 4.2.8p1-beta3) [squeeze] - ntp (Bug introduced in 4.2.8p1-beta3) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/8482b536f9494a5d45196ab5b7e13040f5940261 CVE-2015-7852 (ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remot ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/07a5b8141e354a998a52994c3c9cd547927e56ce CVE-2015-7851 (Directory traversal vulnerability in the save_config function in ntpd ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Vulnerability only affects VMS) [wheezy] - ntp (Vulnerability only affects VMS) [squeeze] - ntp (Vulnerability only affects VMS) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/184516e143ce4448ddb5b9876dd372008cc779f6 CVE-2015-7850 (ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remot ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/bb928ef08eec020ef6008f3a140702ccc0536b8e CVE-2015-7849 (Use-after-free vulnerability in ntpd in NTP 4.2.x before 4.2.8p4, and ...) - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Bug introduced in 4.2.7p262) [wheezy] - ntp (Bug introduced in 4.2.7p262) [squeeze] - ntp (Bug introduced in 4.2.7p262) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/9c22e66c8f2be6aa0c846f0d9804db20f93c105d CVE-2015-7848 (An integer overflow can occur in NTP-dev.4.3.70 leading to an out-of-b ...) - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Bug introduced in 4.2.7p131) [wheezy] - ntp (Bug introduced in 4.2.7p131) [squeeze] - ntp (Bug introduced in 4.2.7p131) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/c04c3d3d940dfe1a53132925c4f51aef017d2e0f CVE-2015-7847 (Huawei MBB (Mobile Broadband) product E3272s with software versions ea ...) NOT-FOR-US: Huawei CVE-2015-7846 (Huawei S7700, S9700, S9300 before V200R07C00SPC500, and AR200, AR1200, ...) NOT-FOR-US: Huawei CVE-2015-7845 (The exception handling mechanism in the CLI Module in Huawei eSpace U1 ...) NOT-FOR-US: Huawei CVE-2015-7844 (Huawei FusionAccess with software V100R005C10,V100R005C20 could allow ...) NOT-FOR-US: Huawei CVE-2015-7843 (The management interface on Huawei FusionServer rack servers RH2288 V3 ...) NOT-FOR-US: Huawei CVE-2015-7842 (Huawei FusionServer rack servers RH2288 V3 with software before V100R0 ...) NOT-FOR-US: Huawei CVE-2015-7841 (The login page of the server on Huawei FusionServer rack servers RH228 ...) NOT-FOR-US: Huawei CVE-2015-7872 (The key_gc_unused_keys function in security/keys/gc.c in the Linux ker ...) {DSA-3396-1} - linux 4.2.5-1 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1272371 NOTE: Prerequisite for Fedora patches: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=94c4554ba07adbdde396748ee7ae01e86cf2d8d7 NOTE: Patches from Fedora: http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?id=d76d5fe34b5c151ad83761160998b1075729b541 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 (v4.3-rc7) NOTE: https://www.openwall.com/lists/oss-security/2015/10/20/5 CVE-2015-8013 (s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of pas ...) - node-openpgp (bug #787774) NOTE: https://www.openwall.com/lists/oss-security/2015/10/13/7 CVE-2015-7840 (The command line management console (CMC) in SolarWinds Log and Event ...) NOT-FOR-US: SolarWinds CVE-2015-7839 (SolarWinds Log and Event Manager (LEM) allows remote attackers to exec ...) NOT-FOR-US: SolarWinds CVE-2015-7838 (ProcessFileUpload.jsp in SolarWinds Storage Manager before 6.2 allows ...) NOT-FOR-US: SolarWinds CVE-2015-7837 (The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, an ...) - linux 4.5.1-1 (unimportant) NOTE: secureboot not yet supported in the Debian package in 4.3 NOTE: https://github.com/mjg59/linux/commit/4b2b64d5a6ebc84214755ebccd599baef7c1b798 NOTE: Fix is included in 4.5.1-1 with the patches/features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch CVE-2015-7836 (Siemens RUGGEDCOM ROS before 4.2.1 allows remote attackers to obtain s ...) NOT-FOR-US: Siemens CVE-2015-7835 (The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x do ...) {DSA-3390-1} - xen 4.6.0-1 [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-148.html CVE-2015-7834 (Multiple unspecified vulnerabilities in Google V8 before 4.6.85.23, as ...) - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2015-7833 (The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 t ...) {DSA-3426-1 DSA-3396-1 DLA-360-1} - linux 4.2.6-2 - linux-2.6 NOTE: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=588afcc1c0e45358159090d95bf7b246fb67565 NOTE: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=fa52bd506f274b7619955917abfde355e3d19ff NOTE: initial fix missed a second needed commit. CVE-2015-7832 RESERVED CVE-2015-7831 (In Cloudera Hue, there is privilege escalation by a read-only user whe ...) NOT-FOR-US: Cloudera CVE-2015-7829 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-7828 (SAP HANA Database 1.00 SPS10 and earlier do not require authentication ...) NOT-FOR-US: SAP HANA CVE-2015-7827 (Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier for remo ...) {DSA-3565-1 DLA-449-1} - botan1.10 1.10.13-1 (bug #817932) NOTE: Fixed in 1.11.22 and 1.10.13. Affected all previous versions. NOTE: http://botan.randombit.net/security.html CVE-2015-7826 (botan 1.11.x before 1.11.22 improperly handles wildcard matching again ...) - botan1.10 (Introduced in 1.11.0) NOTE: Introduced in 1.11.0, fixed in 1.11.22 NOTE: http://botan.randombit.net/security.html CVE-2015-7825 (botan before 1.11.22 improperly validates certificate paths, which all ...) - botan1.10 (Introduced in 1.11.6) NOTE: Introduced in 1.11.6, fixed in 1.11.22 NOTE: http://botan.randombit.net/security.html CVE-2015-7824 (botan 1.11.x before 1.11.22 makes it easier for remote attackers to de ...) - botan1.10 (Introduced in 1.11.0) NOTE: Introduced in 1.11.0, fixed in 1.11.22 NOTE: http://botan.randombit.net/security.html CVE-2015-7823 (Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS ...) NOT-FOR-US: Kentico CMS CVE-2015-7822 (Multiple cross-site scripting (XSS) vulnerabilities in Kentico CMS 8.2 ...) NOT-FOR-US: Kentico CMS CVE-2015-7821 RESERVED CVE-2015-7820 (Race condition in the administration-panel web service in IBM System N ...) NOT-FOR-US: IBM CVE-2015-7819 (The DB service in IBM System Networking Switch Center (SNSC) before 7. ...) NOT-FOR-US: IBM CVE-2015-7818 (The administration-panel web service in IBM System Networking Switch C ...) NOT-FOR-US: IBM CVE-2015-7817 (Race condition in the administration-panel web service in IBM System N ...) NOT-FOR-US: IBM CVE-2015-7816 (The DisplayTopKeywords function in plugins/Referrers/Controller.php in ...) - matomo (bug #448532) CVE-2015-7815 (Directory traversal vulnerability in core/ViewDataTable/Factory.php in ...) - matomo (bug #448532) CVE-2015-7814 (Race condition in the relinquish_memory function in arch/arm/domain.c ...) {DSA-3414-1} - xen 4.6.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-147.html [wheezy] - xen (arm not yet supported) [squeeze] - xen (not supported in squeeze-lts) CVE-2015-7813 (Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk consol ...) {DSA-3414-1} - xen 4.6.0-1 [wheezy] - xen (arm not yet supported) [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-146.html CVE-2015-7812 (The hypercall_create_continuation function in arch/arm/domain.c in Xen ...) {DSA-3414-1} - xen 4.6.0-1 [wheezy] - xen (arm not yet supported) [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-145.html CVE-2015-8011 (Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c ...) {DSA-4836-1 DLA-2571-1} - lldpd 0.7.19-1 [jessie] - lldpd 0.7.11-2+deb8u1 [wheezy] - lldpd (Vulnerable code not present) [squeeze] - lldpd (Vulnerable code not present) - openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-1 NOTE: https://github.com/lldpd/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2 NOTE: https://www.openwall.com/lists/oss-security/2015/10/16/2 NOTE: https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000268.html NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2020-November/377394.html NOTE: https://github.com/openvswitch/ovs/commit/bb5a9937fa8e04e71052fb50e23894448d19678f CVE-2015-8012 (lldpd before 0.8.0 allows remote attackers to cause a denial of servic ...) - lldpd 0.7.19-1 [jessie] - lldpd 0.7.11-2+deb8u1 [wheezy] - lldpd (Vulnerable code not present) [squeeze] - lldpd (Vulnerable code not present) NOTE: https://github.com/lldpd/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00 NOTE: https://www.openwall.com/lists/oss-security/2015/10/18/2 CVE-2015-XXXX [cakephp: XML class SSRF vulnerability] - cakephp 2.6.7-1 (bug #832283) [jessie] - cakephp (Minor issue) [wheezy] - cakephp 1.3.15-1+deb7u1 [squeeze] - cakephp 1.3.2-1.1+deb6u11 NOTE: Workaround entry for DLA-333-1 and DLA-566-1 until/if CVE assigned NOTE: http://seclists.org/fulldisclosure/2015/Oct/70 NOTE: https://github.com/cakephp/cakephp/releases/tag/2.6.6 CVE-2015-7830 (The pcapng_read_if_descr_block function in wiretap/pcapng.c in the pca ...) {DSA-3505-1} - wireshark 1.12.8+g5b6e543-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-30.html CVE-2015-7811 RESERVED CVE-2015-7810 (libbluray MountManager class has a time-of-check time-of-use (TOCTOU) ...) - libbluray 1:0.9.1-1 (low) [jessie] - libbluray (Minor issue, too intrusive to backport) [wheezy] - libbluray (Minor issue) NOTE: CVE was assigned specific to the Fedora packages, cf. NOTE: https://www.openwall.com/lists/oss-security/2015/10/12/7 NOTE: Salvatored asked if Debian needs a separate CVE: NOTE: https://www.openwall.com/lists/oss-security/2015/10/13/6 NOTE: No reply, so we'll just use the same ID NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959434 CVE-2015-7808 (The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 t ...) NOT-FOR-US: vBulletin CVE-2015-7807 RESERVED CVE-2015-7806 (Eval injection vulnerability in the fm_saveHelperGatherItems function ...) NOT-FOR-US: Wordpress plugin CVE-2015-7805 (Heap-based buffer overflow in libsndfile 1.0.25 allows remote attacker ...) {DLA-928-1 DLA-356-1} - libsndfile 1.0.25-10 (bug #804445) [jessie] - libsndfile 1.0.25-9.1+deb8u1 NOTE: http://www.nemux.org/2015/10/13/libsndfile-1-0-25-heap-overflow/ NOTE: https://www.exploit-db.com/exploits/38447/ CVE-2015-7802 (gifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote a ...) - optipng 0.7.6-1 (unimportant; bug #801700) NOTE: Not a security flaw as the under-read does not depend on input CVE-2015-7801 (Use-after-free vulnerability in OptiPNG 0.6.4 allows remote attackers ...) {DLA-332-1} - optipng 0.7.5-1 [wheezy] - optipng 0.6.4-1+deb7u1 CVE-2015-7800 RESERVED CVE-2015-7799 (The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel ...) {DSA-3426-1 DLA-360-1} - linux 4.2.6-2 - linux-2.6 NOTE: https://code.google.com/p/android/issues/detail?id=187973 NOTE: DoS, requires access to /dev/ppp which is root-only by default NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4ab42d78e37a294ac7bc56901d563c642e03c4ae CVE-2015-7798 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2015-7797 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2015-7796 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2015-7795 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2015-7794 (Corega CG-WLNCM4G devices provide an open DNS resolver, which allows r ...) NOT-FOR-US: Corega CVE-2015-7793 (Corega CG-WLBARAGM devices provide an open proxy service, which allows ...) NOT-FOR-US: Corega CVE-2015-7792 (Corega CG-WLBARGS devices allow remote attackers to perform administra ...) NOT-FOR-US: Corega CVE-2015-7791 (Multiple SQL injection vulnerabilities in admin.php in the Collne Welc ...) NOT-FOR-US: Collne Welcart plugin for WordPress CVE-2015-7790 (Cross-site scripting (XSS) vulnerability on ASUS Japan WL-330NUL devic ...) NOT-FOR-US: ASUS CVE-2015-7789 (ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remot ...) NOT-FOR-US: ASUS CVE-2015-7788 (ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remot ...) NOT-FOR-US: ASUS CVE-2015-7787 (ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remot ...) NOT-FOR-US: ASUS CVE-2015-7786 (Cross-site scripting (XSS) vulnerability in the NTT DATA Smart Sourcin ...) NOT-FOR-US: NTT DATA CVE-2015-7785 (GANMA! App for iOS does not verify SSL certificates. ...) NOT-FOR-US: GANMA! App for iOS CVE-2015-7784 (SQL injection vulnerability in the BOKUBLOCK (1) BbAdminViewsControl21 ...) NOT-FOR-US: BOKUBLOCK CVE-2015-7783 (Cross-site scripting (XSS) vulnerability in Let's PHP! p++BBS before 4 ...) NOT-FOR-US: p++BBS CVE-2015-7782 (Cross-site scripting (XSS) vulnerability in Let's PHP! Frame high-spee ...) NOT-FOR-US: Let's PHP! CVE-2015-7781 (ManageEngine Firewall Analyzer before 8.0 does not restrict access per ...) NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2015-7780 (Directory traversal vulnerability in ManageEngine Firewall Analyzer be ...) NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2015-7779 REJECTED CVE-2015-7778 (Gurunavi App for iOS before 6.0.0 does not verify SSL certificates whi ...) NOT-FOR-US: Gurunavi App for iOS CVE-2015-7777 (Cross-site scripting (XSS) vulnerability in index.php in JosephErnest ...) NOT-FOR-US: JosephErnest Void CVE-2015-7776 (Cybozu Garoon 3.x and 4.x before 4.2.0 does not properly restrict load ...) NOT-FOR-US: Cybozu CVE-2015-7775 (Cross-site scripting (XSS) vulnerability in Cybozu Garoon 4.0.3 allows ...) NOT-FOR-US: Cybozu CVE-2015-7774 (PC-EGG pWebManager before 3.3.10, and before 2.2.2 for PHP 4.x, allows ...) NOT-FOR-US: PC-EGG CVE-2015-7773 (Unrestricted file upload vulnerability in the Panel component in Basti ...) NOT-FOR-US: Bastian Allgeier Kirby CVE-2015-7772 (Cross-site scripting (XSS) vulnerability in the runtime engine in the ...) NOT-FOR-US: Newphoria CVE-2015-7771 (Cross-site scripting (XSS) vulnerability in the runtime engine in the ...) NOT-FOR-US: Newphoria CVE-2015-7770 (Dell SonicWall TotalSecure TZ 100 devices with firmware before 5.9.1.0 ...) NOT-FOR-US: Dell CVE-2015-7769 (baserCMS 3.0.2 through 3.0.8 allows remote authenticated users to exec ...) NOT-FOR-US: baserCMS CVE-2015-7768 (Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attack ...) NOT-FOR-US: Konica Minolta CVE-2015-7767 (Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attack ...) NOT-FOR-US: Konica Minolta CVE-2015-7766 (PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and ea ...) NOT-FOR-US: ZOHO CVE-2015-7765 (ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardco ...) NOT-FOR-US: ZOHO CVE-2015-7809 (The displayBlock function Template.php in Sensio Labs Twig before 1.20 ...) {DSA-3343-1} - twig 1.20.0-1 NOTE: http://symfony.com/blog/security-release-twig-1-20-0 CVE-2015-7804 (Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c ...) {DSA-3380-1 DLA-341-1} - php5 5.6.14+dfsg-1 (medium) NOTE: https://bugs.php.net/bug.php?id=70433 CVE-2015-7803 (The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5. ...) {DSA-3380-1 DLA-341-1} - php5 5.6.14+dfsg-1 (low) NOTE: https://bugs.php.net/bug.php?id=69720 CVE-2015-7764 (Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting ...) - lemur (bug #809533) CVE-2015-7763 (rx/rx.c in OpenAFS 1.5.75 through 1.5.78, 1.6.x before 1.6.15, and 1.7 ...) {DSA-3387-1 DLA-342-1} - openafs 1.6.15-1 NOTE: https://www.openafs.org/security CVE-2015-7762 (rx/rx.c in OpenAFS before 1.6.15 and 1.7.x before 1.7.33 does not prop ...) {DSA-3387-1 DLA-342-1} - openafs 1.6.15-1 NOTE: https://www.openafs.org/security CVE-2015-7761 (Mail in Apple OS X before 10.11 does not properly recognize user prefe ...) NOT-FOR-US: Apple CVE-2015-7760 (libxpc in launchd in Apple OS X before 10.11 does not restrict the cre ...) NOT-FOR-US: Apple CVE-2015-7759 (BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, Link Controller, and PEM 12 ...) NOT-FOR-US: BIG-IP CVE-2015-7757 REJECTED CVE-2015-7756 (The encryption implementation in Juniper ScreenOS 6.2.0r15 through 6.2 ...) NOT-FOR-US: Juniper ScreenOS CVE-2015-7755 (Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, ...) NOT-FOR-US: Juniper ScreenOS CVE-2015-7754 (Juniper ScreenOS before 6.3.0r21, when ssh-pka is configured and enabl ...) NOT-FOR-US: Juniper CVE-2015-7753 RESERVED CVE-2015-7752 (The SSH server in Juniper Junos OS before 12.1X44-D50, 12.1X46 before ...) NOT-FOR-US: Juniper CVE-2015-7751 (Juniper Junos OS before 12.1X44-D50, 12.1X46 before 12.1X46-D35, 12.1X ...) NOT-FOR-US: Juniper CVE-2015-7750 (The L2TP packet processing functionality in Juniper Netscreen and Scre ...) NOT-FOR-US: Juniper CVE-2015-7749 (The PFE daemon in Juniper vSRX virtual firewalls with Junos OS before ...) NOT-FOR-US: Juniper CVE-2015-7748 (Juniper chassis with Trio (Trinity) chipset line cards and Junos OS 13 ...) NOT-FOR-US: Juniper CVE-2015-7746 (NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remot ...) NOT-FOR-US: NetApp CVE-2015-7745 RESERVED CVE-2015-7744 (wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults ...) - wolfssl 3.9.10+dfsg-1 - mysql-5.6 5.6.27-1 - mysql-5.5 5.5.46-0+deb8u1 [jessie] - mysql-5.5 5.5.46-0+deb8u1 [wheezy] - mysql-5.5 5.5.46-0+deb7u1 [squeeze] - mysql-5.5 5.5.46-0+deb6u1 - mariadb-10.0 10.0.22-1 [jessie] - mariadb-10.0 10.0.22-0+deb8u1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2015-7743 (XML external entity vulnerability in PRTG Network Monitor before 16.2. ...) NOT-FOR-US: PRTG Network Monitor CVE-2015-7742 RESERVED CVE-2015-7741 RESERVED CVE-2015-7739 RESERVED CVE-2015-7738 RESERVED CVE-2015-7737 RESERVED CVE-2015-7736 RESERVED CVE-2015-7735 RESERVED CVE-2015-7734 RESERVED CVE-2015-7733 RESERVED CVE-2015-7732 (The Avira Mobile Security app before 1.5.11 for iOS sends sensitive lo ...) NOT-FOR-US: Avira Mobile Security app CVE-2015-7731 (SAP Mobile Platform 3.0 SP05 ClientHub allows attackers to obtain the ...) NOT-FOR-US: SAP CVE-2015-7730 (SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and Bus ...) NOT-FOR-US: SAP BusinessObjects CVE-2015-7729 (Eval injection in test-net.xsjs in the Web-based Development Workbench ...) NOT-FOR-US: SAP HANA CVE-2015-7728 (Cross-site scripting (XSS) vulnerability in user creation in the Web-b ...) NOT-FOR-US: SAP HANA CVE-2015-7727 (Multiple SQL injection vulnerabilities in the Web-based Development Wo ...) NOT-FOR-US: SAP HANA CVE-2015-7726 (Cross-site scripting (XSS) vulnerability in role deletion in the Web-b ...) NOT-FOR-US: SAP HANA CVE-2015-7725 (Multiple SQL injection vulnerabilities in the Web-based Development Wo ...) NOT-FOR-US: SAP HANA CVE-2015-7724 (AMD fglrx-driver before 15.9 allows local users to gain privileges via ...) - fglrx-driver 1:15.9-1 (bug #803517) [jessie] - fglrx-driver (Non-free not supported) [wheezy] - fglrx-driver (non-free not supported) [squeeze] - fglrx-driver (non-free not supported) NOTE: http://seclists.org/fulldisclosure/2015/Oct/103 CVE-2015-7723 (AMD fglrx-driver before 15.7 allows local users to gain privileges via ...) - fglrx-driver 1:15.7-1 (bug #803517) [jessie] - fglrx-driver (Non-free not supported) [wheezy] - fglrx-driver (non-free not supported) [squeeze] - fglrx-driver (non-free not supported) NOTE: http://seclists.org/fulldisclosure/2015/Oct/104 CVE-2015-7722 RESERVED CVE-2015-7721 RESERVED CVE-2015-7720 RESERVED CVE-2015-7719 RESERVED CVE-2015-7718 (mediaserver in Android 5.x before 5.1.1 LMY48T and 6.0 before 2015-10- ...) NOT-FOR-US: mediaserver in Android CVE-2015-7717 (mediaserver in Android 5.x before 5.1.1 LMY48T and 6.0 before 2015-10- ...) NOT-FOR-US: mediaserver in Android CVE-2015-7716 (libstagefright in Android 5.x before 5.1.1 LMY48T allows remote attack ...) NOT-FOR-US: libstagefright in Android CVE-2015-7715 (Cross-site request forgery (CSRF) vulnerability in the Realtyna RPL (c ...) NOT-FOR-US: Realtyna RPL for Joomla! CVE-2015-7714 (Multiple SQL injection vulnerabilities in the Realtyna RPL (com_rpl) c ...) NOT-FOR-US: Realtyna RPL for Joomla! CVE-2015-7712 (Multiple eval injection vulnerabilities in mods/_standard/gradebook/ed ...) NOT-FOR-US: ATutor CVE-2015-7711 (Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2. ...) NOT-FOR-US: ATutor CVE-2015-7710 RESERVED CVE-2015-7709 (The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkei ...) NOT-FOR-US: Western Digital CVE-2015-7708 (Cross-site scripting (XSS) vulnerability in 4images 1.7.11 and earlier ...) NOT-FOR-US: 4images CVE-2015-7707 (Ignite Realtime Openfire 3.10.2 allows remote authenticated users to g ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2015-7706 (Multiple cross-site scripting (XSS) vulnerabilities in Secure Data Spa ...) NOT-FOR-US: Secure Data Space CVE-2015-7758 (Gummi 0.6.5 allows local users to write to arbitrary files via a symli ...) - gummi 0.6.5-6 (bug #756432) [jessie] - gummi 0.6.5-3+deb8u1 [wheezy] - gummi 0.6.3-1.2+deb7u2 NOTE: https://www.openwall.com/lists/oss-security/2015/10/08/4 CVE-2015-7740 (Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B851 and P ...) NOT-FOR-US: ARM Mali GPU driver CVE-2015-7545 (The (1) git-remote-ext and (2) unspecified other remote helper program ...) {DSA-3435-1} - git 1:2.6.1-1 [squeeze] - git (git 1.7.2 did not have git-remote-ext yet) NOTE: https://www.openwall.com/lists/oss-security/2015/10/06/1 CVE-2015-7747 (Buffer overflow in the afReadFrames function in audiofile (aka libaudi ...) - audiofile 0.3.6-3 (bug #801102) [jessie] - audiofile 0.3.6-2+deb8u1 [wheezy] - audiofile (Minor issue) [squeeze] - audiofile (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2015/10/06/2 CVE-2015-7705 (The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before 4 ...) - ntp 1:4.2.8p4+dfsg-3 [jessie] - ntp (Default config not affected) [wheezy] - ntp (Default config not affected) [squeeze] - ntp (Default config not affected) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/21d57dc336dbe9a975baca5ce5ae4da5b71ff123 NOTE: https://github.com/ntp-project/ntp/commit/492758c3d0690d3ccf7130fabfcf670997f12f7b NOTE: Original fix was reported broken, then fixed in http://bugs.ntp.org/show_bug.cgi?id=2952 (4.2.8p7) NOTE: Original upsteam bug: http://support.ntp.org/bin/view/Main/NtpBug2901 CVE-2015-7704 (The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allo ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-3 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: Original ntp fix applied in 1:4.2.8p4+dfsg-1for CVE-2015-7704 is apparently broken NOTE: http://lists.ntp.org/pipermail/pool/2015-October/007631.html CVE-2015-7703 (The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8 ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/5dea6ff160c7e8f7cb038619ccccd28c3a8df637 NOTE: https://github.com/ntp-project/ntp/commit/cdae0f1369ade98dc7ae912a0f1953b6e533cb88 CVE-2015-7702 (The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3. ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/c4cd4aaf418f57f7225708a93bf48afb2bc9c1da CVE-2015-7701 (Memory leak in the CRYPTO_ASSOC function in ntpd in NTP 4.2.x before 4 ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/d7cd5e186034340402f1393e0813c7d2b14ea6ca NOTE: https://github.com/ntp-project/ntp/commit/79604d925e4477247eee202155215e7865293809 CVE-2015-7700 (Double-free vulnerability in the sPLT chunk structure and png.c in png ...) - pngcrush 1.8.13-0.1 (bug #874109) [stretch] - pngcrush (Minor issue) [jessie] - pngcrush (Minor issue) [wheezy] - pngcrush (Minor issue) NOTE: http://sourceforge.net/p/pmt/code/ci/e8ae5a842e86324f0bee91f4d98245fddb8ea5dd (1.7.87) CVE-2015-7697 (Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of servic ...) {DSA-3386-1 DLA-330-1} - unzip 6.0-19 (bug #802160) CVE-2015-7696 (Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of servic ...) {DSA-3386-1 DLA-330-1} - unzip 6.0-19 (bug #802162) CVE-2015-7695 (The PDO adapters in Zend Framework before 1.12.16 do not filer null by ...) {DSA-3369-1 DLA-326-1} - zendframework 1.12.16+dfsg-1 NOTE: http://framework.zend.com/security/advisory/ZF2015-08 NOTE: https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 CVE-2015-7694 RESERVED CVE-2015-7693 RESERVED CVE-2015-7692 (The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3. ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: Fixed upstream together with CVE-2015-7702 CVE-2015-7691 (The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3. ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: Fixed upstream together with CVE-2015-7702 CVE-2015-7690 RESERVED CVE-2015-7689 RESERVED CVE-2015-7688 RESERVED CVE-2015-7685 (GLPI before 0.85.3 allows remote authenticated users to create super-a ...) - glpi (unimportant) NOTE: https://forge.glpi-project.org/issues/5218 NOTE: Only supported behind an authenticated HTTP zone CVE-2015-7684 (Unrestricted file upload in GLPI before 0.85.3 allows remote authentic ...) - glpi (unimportant) NOTE: https://forge.glpi-project.org/issues/5217 NOTE: Only supported behind an authenticated HTTP zone CVE-2015-7683 (Absolute path traversal vulnerability in Font.php in the Font plugin b ...) NOT-FOR-US: Font plugin for WordPress CVE-2015-7682 (Multiple SQL injection vulnerabilities in pie-register/pie-register.ph ...) NOT-FOR-US: Pie Register plugin for WordPress CVE-2015-7681 REJECTED CVE-2015-7680 (Ipswitch MOVEit DMZ before 8.2 provides different error messages for a ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7679 (Cross-site scripting (XSS) vulnerability in Ipswitch MOVEit Mobile bef ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7678 (Multiple cross-site request forgery (CSRF) vulnerabilities in Ipswitch ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7677 (The MOVEitISAPI service in Ipswitch MOVEit DMZ before 8.2 provides dif ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7676 (Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when con ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7675 (The "Send as attachment" feature in Ipswitch MOVEit DMZ before 8.2 and ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7672 (Cross-site scripting (XSS) vulnerability in Centreon 2.6.1 (fixed in C ...) - centreon-web (bug #913903) CVE-2015-7713 (OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 20 ...) - nova 1:12.0.0-2 [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1 NOTE: https://www.openwall.com/lists/oss-security/2015/10/05/10 CVE-2015-XXXX [Remotely triggerable buffer overflow in OpenSMTPD] - opensmtpd 5.7.3p1-1 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/10/04/2 NOTE: Fixed with 5.7.3 upstream release CVE-2015-7687 (Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote a ...) - opensmtpd 5.7.3p1-1 (bug #800787) CVE-2015-7686 (Algorithmic complexity vulnerability in Address.pm in the Email-Addres ...) - libemail-address-perl 1.912-1 (bug #868170; unimportant) [stretch] - libemail-address-perl 1.908-1+deb9u1 [jessie] - libemail-address-perl (Minor issue) [wheezy] - libemail-address-perl (Minor issue) [squeeze] - libemail-address-perl (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/10/02/13 NOTE: Possibility of DoS vs. usability issue for Email::Address NOTE: Mitigation: https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae CVE-2015-7671 RESERVED CVE-2015-7670 (Multiple SQL injection vulnerabilities in includes/update.php in the S ...) NOT-FOR-US: Support Ticket System plugin for WordPress CVE-2015-7669 (Multiple directory traversal vulnerabilities in (1) includes/MapImport ...) NOT-FOR-US: Easy2Map plugin for WordPress CVE-2015-7668 (Cross-site scripting (XSS) vulnerability in includes/MapPinImageSave.p ...) NOT-FOR-US: Easy2Map plugin for WordPress CVE-2015-7667 (Multiple cross-site scripting (XSS) vulnerabilities in (1) templates/a ...) NOT-FOR-US: ResAds plugin for WordPress CVE-2015-7666 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) cp_upda ...) NOT-FOR-US: Payment Form for PayPal Pro plugin for WordPress CVE-2015-7664 RESERVED CVE-2015-7663 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7662 (Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7661 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7660 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7659 (Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7658 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7657 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7656 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7655 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7654 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7653 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7652 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7651 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7650 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe Reader CVE-2015-7649 (Adobe Shockwave Player before 12.2.1.171 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2015-7648 (Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7647 (Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7646 REJECTED CVE-2015-7645 (Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7644 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7643 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7642 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7641 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7640 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7639 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7638 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7637 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7636 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7635 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7634 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7633 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7632 (Buffer overflow in Adobe Flash Player before 18.0.0.252 and 19.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7631 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7630 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7629 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7628 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7627 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7626 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7625 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7624 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-7623 (The ANAuthenticateResource method in Adobe Reader and Acrobat 10.x bef ...) NOT-FOR-US: Adobe CVE-2015-7622 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-7621 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-7620 (The ANSendForBrowserReview method in Adobe Reader and Acrobat 10.x bef ...) NOT-FOR-US: Adobe CVE-2015-7619 (The ANShareFile2 method in Adobe Reader and Acrobat 10.x before 10.1.1 ...) NOT-FOR-US: Adobe CVE-2015-7618 (The CBAutoConfigCommentRepository method in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe CVE-2015-7617 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-7616 (The ANVerifyComments method in Adobe Reader and Acrobat 10.x before 10 ...) NOT-FOR-US: Adobe CVE-2015-7615 (Use-after-free vulnerability in a SaveAs feature in Adobe Reader and A ...) NOT-FOR-US: Adobe CVE-2015-7614 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-7612 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Orga ...) NOT-FOR-US: McAfee CVE-2015-7665 (Tails before 1.7 includes the wget program but does not prevent automa ...) NOT-FOR-US: wget as used in Tails NOTE: https://www.openwall.com/lists/oss-security/2015/10/01/10 CVE-2015-7613 (Race condition in the IPC object implementation in the Linux kernel th ...) {DSA-3372-1 DLA-325-1} - linux 4.2.3-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9a532277938798b53178d5a66af6e2915cb27cf (v4.3-rc4) CVE-2015-7610 (Cross-site request forgery (CSRF) vulnerability in the login form in Z ...) NOT-FOR-US: Zimbra CVE-2015-7609 (Synacor Zimbra Mail Client 8.6 before 8.6.0 Patch 5 has XSS via the er ...) NOT-FOR-US: Synacor Zimbra Mail Client CVE-2015-7608 RESERVED CVE-2015-7607 RESERVED CVE-2015-7606 RESERVED CVE-2015-7605 RESERVED CVE-2015-7673 (io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its alloca ...) {DSA-3378-1 DLA-434-1} - gdk-pixbuf 2.32.0-1 - gtk+2.0 2.21.5-1 NOTE: https://www.openwall.com/lists/oss-security/2015/10/01/3 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=19f9685dbff7d1f929c61cf99188df917a18811d NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6ddca835100107e6b5841ce9d56074f6d98c387e NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and build-depends on external gdk-pixbuf CVE-2015-8875 (Multiple integer overflows in the (1) pixops_composite_nearest, (2) pi ...) {DSA-3589-1 DLA-450-1} - gdk-pixbuf 2.34.0-1 NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dbfe8f70471864818bf458a39c8a99640895bd22 (2.33.1) NOTE: https://www.openwall.com/lists/oss-security/2016/05/12/3 CVE-2015-7674 (Integer overflow in the pixops_scale_nearest function in pixops/pixops ...) {DSA-3378-1 DLA-450-1 DLA-434-1} - gdk-pixbuf 2.32.1-1 NOTE: https://www.openwall.com/lists/oss-security/2015/10/01/4 NOTE: Fix for CVE-2015-7674: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa (2.32.1) NOTE: Additional hardening against further overflows (but not part of the CVE assignment): https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dbfe8f70471864818bf458a39c8a99640895bd22 (2.33.1) NOTE: The CVE is only assigned for the overflow in the pixops_scale_nearest function. - gtk+2.0 2.21.5-1 NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and build-depends on external gdk-pixbuf CVE-2015-XXXX [trivial hash complexity DoS attack] - php5 (bug #800564) [jessie] - php5 (Too intrusive to backport) [wheezy] - php5 (Too intrusive to backport) [squeeze] - php5 (Too intrusive to backport) NOTE: https://bugs.php.net/bug.php?id=70644 NOTE: https://github.com/bk2204/php-hash-dos CVE-2015-7698 (icewind1991 SMB before 1.0.3 allows remote authenticated users to exec ...) - php-smb 1.0.3a-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-017 CVE-2015-7699 (The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8 ...) {DSA-3373-1} - owncloud 7.0.9~dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-018 NOTE: https://github.com/owncloud/core/commit/b05e178bbf884b120d1106e6a28f35aa50d6d06f CVE-2015-7611 (Apache James Server 2.3.2, when configured with file-based user reposi ...) NOT-FOR-US: Apache James CVE-2015-7604 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enter ...) NOT-FOR-US: Splunk CVE-2015-7603 (Directory traversal vulnerability in Konica Minolta FTP Utility 1.0 al ...) NOT-FOR-US: Konica Minolta FTP Utility CVE-2015-7602 (Directory traversal vulnerability in BisonWare BisonFTP 3.5 allows rem ...) NOT-FOR-US: BisonWare BisonFTP CVE-2015-7601 (Directory traversal vulnerability in PCMan's FTP Server 2.0.7 allows r ...) NOT-FOR-US: PCMan's FTP Server CVE-2015-7600 (Cisco VPN Client 5.x through 5.0.07.0440 uses weak permissions for vpn ...) NOT-FOR-US: Cisco VPN Client CVE-2015-7599 (Integer overflow in the _authenticate function in svc_auth.c in Wind R ...) NOT-FOR-US: Wind River VxWorks CVE-2015-7598 (SafeNet Authentication Service TokenValidator Proxy Agent uses a weak ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7597 (SafeNet Authentication Service IIS Agent uses a weak ACL for unspecifi ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7596 (SafeNet Authentication Service End User Software Tools for Windows use ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7595 REJECTED CVE-2015-7594 REJECTED CVE-2015-7593 REJECTED CVE-2015-7592 REJECTED CVE-2015-7591 REJECTED CVE-2015-7590 REJECTED CVE-2015-7589 REJECTED CVE-2015-7588 REJECTED CVE-2015-7587 REJECTED CVE-2015-7586 REJECTED CVE-2015-7585 REJECTED CVE-2015-7584 REJECTED CVE-2015-7583 REJECTED CVE-2015-7582 REJECTED CVE-2015-7581 (actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in ...) {DSA-3464-1} - rails 2:4.2.5.1-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-actionpack-3.2 [wheezy] - ruby-actionpack-3.2 (Vulnerable code not present) - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 CVE-2015-7580 (Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.r ...) - ruby-rails-html-sanitizer 1.0.3-1 (bug #812814) CVE-2015-7579 (Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer g ...) - ruby-rails-html-sanitizer 1.0.3-1 (bug #812814) CVE-2015-7578 (Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer g ...) - ruby-rails-html-sanitizer 1.0.3-1 (bug #812814) CVE-2015-7577 (activerecord/lib/active_record/nested_attributes.rb in Active Record i ...) {DSA-3464-1 DLA-496-1} - rails 2:4.2.5.1-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-activerecord-3.2 - ruby-activerecord-2.3 [wheezy] - ruby-activerecord-2.3 CVE-2015-7576 (The http_basic_authenticate_with method in actionpack/lib/action_contr ...) {DSA-3464-1 DLA-604-1} - rails 2:4.2.5.1-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-actionpack-3.2 - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 - ruby-activesupport-3.2 [wheezy] - ruby-activesupport-3.2 (Vulnerable code not present) - ruby-activesupport-2.3 [wheezy] - ruby-activesupport-2.3 NOTE: https://github.com/rails/rails/commit/a6fa3960c3a149e83eb2ff057be4472a82958e3d CVE-2015-7575 (Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozi ...) {DSA-3688-1 DSA-3491-1 DSA-3465-1 DSA-3458-1 DSA-3457-1 DSA-3437-1 DSA-3436-1 DLA-410-1} - iceweasel 43.0.2-1 [squeeze] - iceweasel - icedove 38.6.0-1 [squeeze] - icedove - nss 2:3.21-1 [squeeze] - nss (only affects nss post 2012-07-26) [wheezy] - nss (TLS 1.2 not supported in 3.14, only 3.15.1 and above) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/ NOTE: Patch in SuSE Bugzilla: https://bugzilla.suse.com/attachment.cgi?id=660286 NOTE: NSS upstream fix is actually in 3.20.2: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes NOTE: NSS patch: https://hg.mozilla.org/projects/nss/raw-rev/891676aa0d85 - openssl 1.0.1f-1 [squeeze] - openssl (Vulnerable code not present) NOTE: OpenSSL fix: https://git.openssl.org/?p=openssl.git;a=commit;h=5e1ff664f95ab4c9176b3e86b5111e5777bad61a - openjdk-8 7u95-2.6.4-1 - openjdk-7 7u95-2.6.4-1 - openjdk-6 NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1ad1d1b46fef - gnutls28 3.3.15-1 [jessie] - gnutls28 3.3.8-6+deb8u3 - gnutls26 [squeeze] - gnutls26 (TLS1.2 not supported) NOTE: http://gnutls.org/security.html#GNUTLS-SA-2015-2 NOTE: http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html NOTE: https://gitlab.com/gnutls/gnutls/commit/7d9d5c61f8445dc9e9ca47bb575c77cef17da17a NOTE: https://gitlab.com/gnutls/gnutls/commit/0e3fc7881d37246fc2d51dc404cad95b205c0e1e NOTE: https://gitlab.com/gnutls/gnutls/commit/6822a37947d4e38c45b1afc0121cda35ba897182 NOTE: https://www.openwall.com/lists/oss-security/2015/05/05/8 NOTE: http://www.mitls.org/pages/attacks/SLOTH CVE-2015-7574 REJECTED CVE-2015-7573 REJECTED CVE-2015-7572 REJECTED CVE-2015-7571 (Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remo ...) NOT-FOR-US: Yeager CMS CVE-2015-7570 (Multiple server-side request forgery (SSRF) vulnerabilities in Yeager ...) NOT-FOR-US: Yeager CMS CVE-2015-7569 (SQL injection vulnerability in "yeager/y.php/tab_USERLIST" in Yeager C ...) NOT-FOR-US: Yeager CMS CVE-2015-7568 (SQL injection vulnerability in the password recovery feature in Yeager ...) NOT-FOR-US: Yeager CMS CVE-2015-7567 (SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attacker ...) NOT-FOR-US: Yeager CMS CVE-2015-7566 (The clie_5_attach function in drivers/usb/serial/visor.c in the Linux ...) {DSA-3448-1 DLA-412-1} - linux 4.3.3-6 [wheezy] - linux 3.2.73-2+deb7u3 - linux-2.6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283371 (not (yet) public) NOTE: Proposed upstream patch: http://marc.info/?l=linux-usb&m=145260786729359&w=2 CVE-2015-7565 (Cross-site scripting (XSS) vulnerability in Ember.js 1.8.x through 1.1 ...) NOT-FOR-US: ember.js CVE-2015-7564 (Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier ...) - teampass (bug #730180) CVE-2015-7563 (Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and ...) - teampass (bug #730180) CVE-2015-7562 (Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 ...) - teampass (bug #730180) CVE-2015-7561 (Kubernetes in OpenShift3 allows remote authenticated users to use the ...) NOT-FOR-US: OpenShift CVE-2015-7560 (The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4. ...) {DSA-3514-1} - samba 2:4.3.6+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-7560.html CVE-2015-7559 (It was found that the Apache ActiveMQ client before 5.15.5 exposed a r ...) {DLA-913-1} - activemq 5.14.3-3 (bug #860866) [jessie] - activemq 5.6.0+dfsg1-4+deb8u3 NOTE: Upstream commit: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=b8fc78e NOTE: https://issues.apache.org/jira/browse/AMQ-6470 CVE-2015-7558 (librsvg before 2.40.12 allows context-dependent attackers to cause a d ...) {DSA-3584-1 DLA-477-1} - librsvg 2.40.12-1 [squeeze] - librsvg (Too intrusive to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1268243 NOTE: https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61 (2.40.12) CVE-2015-7557 (The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg be ...) {DLA-395-1} - librsvg 2.40.9-2 [jessie] - librsvg 2.40.5-1+deb8u1 [wheezy] - librsvg 2.36.1-2+deb7u1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=738050 (not public accessible) NOTE: https://git.gnome.org/browse/librsvg/commit/rsvg-shapes.c?id=40af93e6eb1c94b90c3b9a0b87e0840e126bb8df (2.40.7) CVE-2015-7556 (DeleGate 9.9.13 allows local users to gain privileges as demonstrated ...) NOT-FOR-US: DeleGate CVE-2015-7555 (Heap-based buffer overflow in giffix.c in giffix in giflib 5.1.1 allow ...) {DLA-389-1} - giflib 5.1.2-0.1 (bug #808704) [jessie] - giflib 4.1.6-11+deb8u1 [wheezy] - giflib 4.1.6-10+deb7u1 NOTE: Upstream fix http://sourceforge.net/p/giflib/code/ci/179510be300bf11115e37528d79619b53c884a63 CVE-2015-7554 (The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attac ...) {DLA-693-1 DLA-692-1} - tiff 4.0.7-7 (bug #809066; bug #842043; bug #850316) [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 NOTE: https://www.openwall.com/lists/oss-security/2015/12/26/7 NOTE: SUSE seem to have a fix (disputed): https://bugzilla.suse.com/show_bug.cgi?id=960341 NOTE: Reproducer file here: https://bugzilla.suse.com/attachment.cgi?id=665389 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2564 NOTE: partially fixed by http://bugzilla.maptools.org/show_bug.cgi?id=2564#c2 NOTE: -- NOTE: The problem is present in tiff3 3.9.6-11+deb7u1 on wheezy (the problematic code NOTE: gets executed under gdb), however for some reason this does not lead to a segfault. CVE-2015-7553 (Race condition in the kernel in Red Hat Enterprise Linux 7, kernel-rt ...) - linux (RHEL-specific backport bug) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1288934 NOTE: Related to an incomplete RHEL backport of https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ac2bde2a4a05c38e2bd733bea94507cb1461e06 CVE-2015-7552 (Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixb ...) {DSA-3589-1 DLA-501-1} - gdk-pixbuf 2.32.0-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=958963 NOTE: This was fixed by one of the commits between 2.31.6 and 2.32.0. NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=4f68cb78a5277f169b9531e6998c00c7976594e4 (2.31.7) CVE-2015-7551 (The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby befor ...) - ruby1.9.1 [wheezy] - ruby1.9.1 (Minor issue) [squeeze] - ruby1.9.1 (DL already fixed with CVE-2009-5147, Fiddle does not have vulnerable code) - ruby2.0 - ruby2.1 (bug #796344) [jessie] - ruby2.1 2.1.5-2+deb8u3 - ruby2.2 2.2.4-1 (bug #796551) NOTE: https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/ CVE-2015-7550 (The keyctl_read_key function in security/keys/keyctl.c in the Linux ke ...) {DSA-3434-1 DLA-378-1} - linux 4.3.3-3 - linux-2.6 NOTE: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d (v4.4-rc8) CVE-2015-7549 (The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) a ...) {DSA-3471-1} - qemu 1:2.5+dfsg-1 (bug #808131) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) [squeeze] - qemu-kvm (Vulnerable code not present) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=43b11a91dd861a946b231b89b7542856ade23d1b (v2.5.0-rc0) NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d35e428c8400f9ddc07e5a15ff19622c869b9ba0 (v1.2.0-rc0) CVE-2015-7548 (OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0 ...) - nova 2:13.0.0~rc3-1 [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: Affects: Nova: <=2015.1.2, ==12.0.0 NOTE: https://bugs.launchpad.net/bugs/1524274 CVE-2015-7547 (Multiple stack-based buffer overflows in the (1) send_dg and (2) send_ ...) {DSA-3481-1 DSA-3480-1 DLA-416-1} - glibc 2.21-8 - eglibc NOTE: https://googleonlinesecurity.blogspot.cz/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html NOTE: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html CVE-2015-7546 (The identity service in OpenStack Identity (Keystone) before 2015.1.3 ...) - keystone 2:9.0.0~rc2-1 [jessie] - keystone (Too intrusive to backport, needs to switch to different token provider) [wheezy] - keystone (Too intrusive to backport, needs to switch to different token provider) - python-keystonemiddleware 3.0.0-1 [jessie] - python-keystonemiddleware (Too intrusive to backport, needs to switch to different token provider) NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0062 NOTE: Keystone: <= 2015.1.2, >= 8.0.0 <= 8.0.1 NOTE: Keystonemiddleware: >= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2 CVE-2015-7544 (redhat-support-plugin-rhev in Red Hat Enterprise Virtualization Manage ...) NOT-FOR-US: redhat-support-plugin-rhev CVE-2015-7543 (aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create tem ...) {DLA-367-1 DLA-366-1} - kde4libs (Fixed before the first release in Debian) - kdelibs - arts NOTE: https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c CVE-2015-7542 (A vulnerability exists in libgwenhywfar through 4.12.0 due to the usag ...) {DLA-469-1} - libgwenhywfar 4.12.0beta-3 (bug #748955; medium) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1272503 NOTE: Debian packaging fix: http://source.lenk.info/git/pkg-libgwenhywfar.git/commitdiff/86dacaae3a233f6ca3b420e0bfdb12eb5ef40b91 CVE-2015-7541 (The initialize method in the Histogram class in lib/colorscore/histogr ...) NOT-FOR-US: colorscore gem for Ruby CVE-2015-7540 (The LDAP server in the AD domain controller in Samba 4.x before 4.1.22 ...) {DSA-3433-1} - samba 2:4.1.22+dfsg-1 [wheezy] - samba (Only affects 4.0.0 to 4.1.21) [squeeze] - samba (Only affects 4.0.0 to 4.1.21) NOTE: https://www.samba.org/samba/security/CVE-2015-7540.html CVE-2015-7539 (The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 doe ...) - jenkins CVE-2015-7538 (Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to ...) - jenkins CVE-2015-7537 (Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.64 ...) - jenkins CVE-2015-7536 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and L ...) - jenkins CVE-2015-7535 REJECTED CVE-2015-7534 REJECTED CVE-2015-7533 REJECTED CVE-2015-7532 REJECTED CVE-2015-7531 REJECTED CVE-2015-7530 REJECTED CVE-2015-7529 (sosreport in SoS 3.x allows local users to obtain sensitive informatio ...) - sosreport 3.2+git276-g7da50d6-3 (unimportant) NOTE: Neutralised by kernel hardening CVE-2015-7528 (Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitr ...) - kubernetes (Fixed before initial release to archive) NOTE: https://github.com/kubernetes/kubernetes/pull/17886 CVE-2015-7527 (lib/core.php in the Cool Video Gallery plugin 1.9 for WordPress allows ...) NOT-FOR-US: WordPress plugin cool-video-gallery CVE-2015-7526 REJECTED CVE-2015-7525 REJECTED CVE-2015-7524 REJECTED CVE-2015-7523 REJECTED CVE-2015-7522 REJECTED CVE-2015-7521 (The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, ...) NOT-FOR-US: Apache Hive CVE-2015-7520 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGr ...) NOT-FOR-US: Apache Wicket CVE-2015-7519 (agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0. ...) {DLA-1399-1 DLA-394-1} - passenger 5.0.22-1 (bug #807354) - ruby-passenger (bug #864651) [wheezy] - ruby-passenger (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=956281 NOTE: https://github.com/phusion/passenger/commit/c04590871ca0878d4d3ac1220c5a554b049056b4 (4.x) NOTE: https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e (5.x) CVE-2015-7518 (Multiple cross-site scripting (XSS) vulnerabilities in information pop ...) - foreman (bug #663101) CVE-2015-7517 (Multiple SQL injection vulnerabilities in the Double Opt-In for Downlo ...) NOT-FOR-US: Double Opt-In for Download plugin for WordPress CVE-2015-7516 (ONOS before 1.5.0 when using the ifwd app allows remote attackers to c ...) NOT-FOR-US: Onos CVE-2015-7515 (The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linu ...) {DSA-3607-1} - linux 4.4.2-1 [wheezy] - linux 3.2.81-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1285326 NOTE: https://os-s.net/advisories/OSS-2016-05_aiptek.pdf NOTE: Upstream commit: https://git.kernel.org/linus/8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 (v4.4-rc6) CVE-2015-7514 (OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after u ...) - ironic 1:4.2.2-1 (bug #807269) CVE-2015-7513 (arch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the P ...) {DSA-3434-1} - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/linus/0185604c2d82c560dab2f2933a18f797e74ab5a8 (v4.4-rc7) CVE-2015-7512 (Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEM ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-1 (bug #806741) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06341.html CVE-2015-7511 (Libgcrypt before 1.6.5 does not properly perform elliptic-point curve ...) {DSA-3478-1 DSA-3474-1} - libgcrypt20 1.6.5-2 - libgcrypt11 [squeeze] - libgcrypt11 (Vulnerable code not present) NOTE: http://www.cs.tau.ac.IL/~tromer/ecdh/ NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fcbb9fcc2e6983ea61bf565b6ee2e29816b8cd57 (LIBGCRYPT-1-5-BRANCH) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=de7db12fa04016e12dffb2b678632f45eba15ec4 (libgcrypt-1.6.5) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=28eb424e4427b320ec1c9c4ce56af25d495230bd (libgcrypt-1.6.5) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=88e1358962e902ff1cbec8d53ba3eee46407851a (master) CVE-2015-7510 (Stack-based buffer overflow in the getpwnam and getgrnam functions of ...) - systemd 229-1 [jessie] - systemd (Vulnerable code introduced later, v223) [wheezy] - systemd (Vulnerable code introduced later, v223) NOTE: https://github.com/systemd/systemd/commit/cb31827d62066a04b02111df3052949fda4b6888 (v229) NOTE: https://github.com/systemd/systemd/issues/2002 CVE-2015-7509 (fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proxi ...) - linux 3.8-1~experimental.1 [wheezy] - linux 3.2.68-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze9 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1259222 NOTE: https://git.kernel.org/linus/c9b92530a723ac5ef8e352885a1862b18f31b2f5 NOTE: https://git.kernel.org/linus/0e9a9a1ad619e7e987815d20262d36a2f95717ca CVE-2015-7508 (Heap-based buffer overflow in the bmp_decode_rle function in libnsbmp. ...) - libnsbmp [squeeze] - libnsbmp (Library not used anywhere in Debian) NOTE: http://source.netsurf-browser.org/libnsbmp.git/commit/?id=041df43bbe273b0829132b0b17d89a69da2927d4 - netsurf 3.2+dfsg-3 (bug #810491) [jessie] - netsurf (netsurf already relies only entirely unsupported mozjs) [wheezy] - netsurf (netsurf already relies only entirely unsupported mozjs) CVE-2015-7507 (libnsbmp.c in Libnsbmp 0.1.2 allows context-dependent attackers to cau ...) - libnsbmp [squeeze] - libnsbmp (Library not used anywhere in Debian) NOTE: http://source.netsurf-browser.org/libnsbmp.git/commit/?id=49427b52ba41a1813e3822301612e2e170107efd - netsurf 3.2+dfsg-3 (bug #810491) [jessie] - netsurf (netsurf already relies only entirely unsupported mozjs) [wheezy] - netsurf (netsurf already relies only entirely unsupported mozjs) CVE-2015-7506 (The gif_next_LZW function in libnsgif.c in Libnsgif 0.1.2 allows conte ...) - libnsgif [squeeze] - libnsgif (Library not used anywhere in Debian) NOTE: http://source.netsurf-browser.org/libnsgif.git/commit/?id=088fa0819f1aeaf212a95caf7393a38c1640b5f0 - netsurf 3.2+dfsg-3 (bug #810491) [jessie] - netsurf (netsurf already relies only entirely unsupported mozjs) [wheezy] - netsurf (netsurf already relies only entirely unsupported mozjs) CVE-2015-7505 (Stack-based buffer overflow in the gif_next_LZW function in libnsgif.c ...) - libnsgif [squeeze] - libnsgif (Library not used anywhere in Debian) NOTE: http://source.netsurf-browser.org/libnsgif.git/commit/?id=a268d2c15252ac58c19f1b19771822c66bcf73b2 - netsurf 3.2+dfsg-3 (bug #810491) [jessie] - netsurf (netsurf already relies only entirely unsupported mozjs) [wheezy] - netsurf (netsurf already relies only entirely unsupported mozjs) CVE-2015-7504 (Heap-based buffer overflow in the pcnet_receive function in hw/net/pcn ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-1 (bug #806742) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06342.html NOTE: Xen not affected in wheezy, CVE covered by XSA-162: https://marc.info/?l=oss-security&m=144888089404618&w=2 CVE-2015-7503 (Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2. ...) NOT-FOR-US: php-zend-crypt NOTE: http://framework.zend.com/security/advisory/ZF2015-10 CVE-2015-7502 (Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4 ...) NOT-FOR-US: Red Hat CloudForms CVE-2015-7500 (The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows c ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=f1063fdbe7fa66332bbb76874101c2a7b51b519f (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756525 (upstream bug not yet open) CVE-2015-7499 (Heap-based buffer overflow in the xmlGROW function in parser.c in libx ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=28cd9cb747a94483f4aea7f0968d202c20bb4cfc (v2.9.3) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756479 (upstream bug not yet open) CVE-2015-7498 (Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=afd27c21f6b36e22682b7da20d726bce2dcb2f43 (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756527 (upstream bug not yet open) CVE-2015-7497 (Heap-based buffer overflow in the xmlDictComputeFastQKey function in d ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=6360a31a84efe69d155ed96306b9a931a40beab9 (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756528 (upstream bug not yet open) CVE-2015-7496 (GNOME Display Manager (gdm) before 3.18.2 allows physically proximate ...) - gdm3 3.18.2-1 [jessie] - gdm3 (Vulnerable code not present, unreproducible) [wheezy] - gdm3 (Vulnerable code not present, unreproducible) [squeeze] - gdm3 (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758032 NOTE: https://git.gnome.org/browse/gdm/commit/?id=5ac2246 NOTE: https://git.gnome.org/browse/gdm/commit/?id=05e5fc2 CVE-2015-7495 RESERVED CVE-2015-7494 (A vulnerability has been identified in IBM Cloud Orchestrator services ...) NOT-FOR-US: IBM CVE-2015-7493 (IBM InfoSphere Information Server could allow a local user under speci ...) NOT-FOR-US: IBM CVE-2015-7492 (Cross-site scripting (XSS) vulnerability in Reference Data Management ...) NOT-FOR-US: IBM CVE-2015-7491 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.x ...) NOT-FOR-US: IBM CVE-2015-7490 (IBM InfoSphere Information Server 8.5 through FP3, 8.7 through FP2, 9. ...) NOT-FOR-US: IBM CVE-2015-7489 (IBM SPSS Statistics 22.0.0.2 before IF10 and 23.0.0.2 before IF7 uses ...) NOT-FOR-US: IBM CVE-2015-7488 (IBM Spectrum Scale 4.1.1.x before 4.1.1.4 and 4.2.x before 4.2.0.1, in ...) NOT-FOR-US: IBM CVE-2015-7487 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.9 ...) NOT-FOR-US: IBM CVE-2015-7486 (Cross-site scripting (XSS) vulnerability in IBM Rational Engineering L ...) NOT-FOR-US: IBM Rational Engineering Lifecycle Manager CVE-2015-7485 (Cross-site scripting (XSS) vulnerability in IBM Rational Engineering L ...) NOT-FOR-US: IBM Rational Engineering Lifecycle Manager CVE-2015-7484 (IBM Rational Engineering Lifecycle Manager 3.0 before 3.0.1.6 iFix7 In ...) NOT-FOR-US: IBM Rational Engineering Lifecycle Manager CVE-2015-7483 RESERVED CVE-2015-7482 RESERVED CVE-2015-7481 RESERVED CVE-2015-7480 RESERVED CVE-2015-7479 RESERVED CVE-2015-7478 RESERVED CVE-2015-7477 RESERVED CVE-2015-7476 RESERVED CVE-2015-7475 RESERVED CVE-2015-7474 (Cross-site scripting (XSS) vulnerability in Jazz Foundation in IBM Rat ...) NOT-FOR-US: IBM Rational Engineering Lifecycle Manager CVE-2015-7473 (runmqsc in IBM WebSphere MQ 8.x before 8.0.0.5 allows local users to b ...) NOT-FOR-US: IBM CVE-2015-7472 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM CVE-2015-7471 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2015-7470 (Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Ra ...) NOT-FOR-US: IBM CVE-2015-7469 (Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Ra ...) NOT-FOR-US: IBM CVE-2015-7468 (Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Ra ...) NOT-FOR-US: IBM CVE-2015-7467 (Cross-site scripting (XSS) vulnerability in Report Builder in IBM Jazz ...) NOT-FOR-US: IBM CVE-2015-7466 (Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service (JRS) 6.0 b ...) NOT-FOR-US: IBM CVE-2015-7465 (Cross-site request forgery (CSRF) vulnerability in Lifecycle Query Eng ...) NOT-FOR-US: IBM CVE-2015-7464 (Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Ra ...) NOT-FOR-US: IBM CVE-2015-7463 (IBM Business Process Manager 7.5.x, 8.0.x, 8.5.0, 8.5.5, and 8.5.6.0 t ...) NOT-FOR-US: IBM CVE-2015-7462 (IBM WebSphere MQ 8.0.0.4 on IBM i platforms allows local users to disc ...) NOT-FOR-US: IBM CVE-2015-7461 (XML external entity (XXE) vulnerability in IBM Connections 3.0.1.1 and ...) NOT-FOR-US: IBM CVE-2015-7460 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 an ...) NOT-FOR-US: IBM CVE-2015-7459 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 an ...) NOT-FOR-US: IBM CVE-2015-7458 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 an ...) NOT-FOR-US: IBM CVE-2015-7457 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.x ...) NOT-FOR-US: IBM CVE-2015-7456 (IBM Spectrum Scale 4.1.1 before 4.1.1.4, and 4.2.0.0, allows remote au ...) NOT-FOR-US: IBM CVE-2015-7455 (IBM WebSphere Portal 7.x through 7.0.0.2 CF29, 8.0.x before 8.0.0.1 CF ...) NOT-FOR-US: IBM CVE-2015-7454 (Business Space in IBM WebSphere Process Server 6.1.2.0 through 7.0.0.5 ...) NOT-FOR-US: IBM CVE-2015-7453 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2015-7452 (IBM Maximo Asset Management 7.5 before 7.5.0.9 FP9 and 7.6 before 7.6. ...) NOT-FOR-US: IBM CVE-2015-7451 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2015-7450 (Serialized-object interfaces in certain IBM analytics, business soluti ...) NOT-FOR-US: IBM CVE-2015-7449 (IBM Rational Collaborative Lifecycle Management (CLM) 4.0.x before 4.0 ...) NOT-FOR-US: IBM CVE-2015-7448 (SQL injection vulnerability in IBM Maximo Asset Management 7.1 through ...) NOT-FOR-US: IBM CVE-2015-7447 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM CVE-2015-7446 (Cross-site request forgery (CSRF) vulnerability in IBM Flash System V9 ...) NOT-FOR-US: IBM CVE-2015-7445 (IBM Multi-Enterprise Integration Gateway 1.0 through 1.0.0.1 and B2B A ...) NOT-FOR-US: IBM CVE-2015-7444 (The Update Installer in IBM WebSphere Commerce Enterprise 7.0.0.8 and ...) NOT-FOR-US: IBM CVE-2015-7443 RESERVED CVE-2015-7442 (consoleinst.sh in IBM Installation Manager before 1.7.4.4 and 1.8.x be ...) NOT-FOR-US: IBM CVE-2015-7441 (Remote Artifact Loader (RAL) in IBM WebSphere Process Server 7 and Bus ...) NOT-FOR-US: IBM CVE-2015-7440 (IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0 ...) NOT-FOR-US: IBM CVE-2015-7439 (Cross-site scripting (XSS) vulnerability in InfoSphere Data Architect ...) NOT-FOR-US: IBM CVE-2015-7438 (IBM Sterling B2B Integrator 5.2 allows local users to obtain sensitive ...) NOT-FOR-US: IBM CVE-2015-7437 (Queue Watcher in IBM Sterling B2B Integrator 5.2 allows local users to ...) NOT-FOR-US: IBM CVE-2015-7436 (IBM Tivoli Common Reporting (TCR) 2.1 before IF14, 2.1.1 before IF22, ...) NOT-FOR-US: IBM CVE-2015-7435 (IBM Tivoli Common Reporting (TCR) 2.1 before IF14, 2.1.1 before IF22, ...) NOT-FOR-US: IBM CVE-2015-7434 (IBM Capacity Management Analytics 2.1.0.0 allows local users to discov ...) NOT-FOR-US: IBM CVE-2015-7433 (IBM Capacity Management Analytics 2.1.0.0 allows local users to discov ...) NOT-FOR-US: IBM CVE-2015-7432 (IBM Capacity Management Analytics 2.1.0.0 allows local users to decryp ...) NOT-FOR-US: IBM CVE-2015-7431 (Cross-site scripting (XSS) vulnerability in Queue Watcher in IBM Sterl ...) NOT-FOR-US: IBM CVE-2015-7430 (The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for I ...) NOT-FOR-US: IBM CVE-2015-7429 (The Data Protection extension in the VMware GUI in IBM Tivoli Storage ...) NOT-FOR-US: IBM CVE-2015-7428 (Open redirect vulnerability in IBM WebSphere Portal 8.0.x before 8.0.0 ...) NOT-FOR-US: IBM CVE-2015-7427 (IBM DataPower Gateway appliances with firmware 6.x before 6.0.0.17, 6. ...) NOT-FOR-US: IBM CVE-2015-7426 (The Data Protection extension in the VMware GUI in IBM Tivoli Storage ...) NOT-FOR-US: IBM CVE-2015-7425 (The Data Protection component in the VMware vSphere GUI in IBM Tivoli ...) NOT-FOR-US: IBM CVE-2015-7424 (IBM InfoSphere Master Data Management (MDM) - Collaborative Edition 9. ...) NOT-FOR-US: IBM CVE-2015-7423 (Multiple cross-site scripting (XSS) vulnerabilities in IBM InfoSphere ...) NOT-FOR-US: IBM CVE-2015-7422 (Buffer overflow in IBM i Access 7.1 on Windows allows local users to c ...) NOT-FOR-US: IBM i Access CVE-2015-7421 (Unspecified vulnerability in GSKit on IBM MQ M2000 appliances before 8 ...) NOT-FOR-US: IBM CVE-2015-7420 (Unspecified vulnerability in GSKit on IBM MQ M2000 appliances before 8 ...) NOT-FOR-US: IBM CVE-2015-7419 (IBM WebSphere Portal 8.0.0.1 before CF19 and 8.5.0 before CF09 allows ...) NOT-FOR-US: IBM CVE-2015-7418 (IBM WebSphere eXtreme Scale and the WebSphere DataPower XC10 Appliance ...) NOT-FOR-US: IBM CVE-2015-7417 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Application ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-7416 (AFP Workbench Viewer in IBM i Access 7.1 on Windows allows remote atta ...) NOT-FOR-US: IBM CVE-2015-7415 (Multiple cross-site scripting (XSS) vulnerabilities in IBM UrbanCode D ...) NOT-FOR-US: IBM CVE-2015-7414 (Cross-site scripting (XSS) vulnerability in the GDS component in IBM I ...) NOT-FOR-US: IBM CVE-2015-7413 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 ...) NOT-FOR-US: IBM CVE-2015-7412 (The GatewayScript modules on IBM DataPower Gateways with software 7.2. ...) NOT-FOR-US: IBM CVE-2015-7411 (The portal client in IBM Tivoli Monitoring (ITM) 6.2.2 through FP9, 6. ...) NOT-FOR-US: IBM CVE-2015-7410 (The Health Check tool in IBM Sterling B2B Integrator 5.2 does not prop ...) NOT-FOR-US: IBM CVE-2015-7409 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar SIEM 7 ...) NOT-FOR-US: IBM CVE-2015-7408 (The server in IBM Spectrum Protect (aka Tivoli Storage Manager) 5.5 an ...) NOT-FOR-US: IBM CVE-2015-7407 (Cross-site request forgery (CSRF) vulnerability in Lotus Mashups in IB ...) NOT-FOR-US: IBM CVE-2015-7406 RESERVED CVE-2015-7405 RESERVED CVE-2015-7404 (IBM Tivoli Storage Manager for Databases: Data Protection for Microsof ...) NOT-FOR-US: IBM CVE-2015-7403 (IBM Spectrum Scale 4.1.1.x before 4.1.1.3 and General Parallel File Sy ...) NOT-FOR-US: IBM CVE-2015-7402 (Cross-site scripting (XSS) vulnerability in IBM Curam Social Program M ...) NOT-FOR-US: IBM CVE-2015-7401 (IBM Curam Social Program Management 6.1.x before 6.1.1.1 allows remote ...) NOT-FOR-US: IBM CVE-2015-7400 (The Lotus Mashups component in IBM Mashup Center 3.0.0.1 allows remote ...) NOT-FOR-US: IBM CVE-2015-7399 (IBM WebSphere Message Broker 7 before 7.0.0.8 and 8 before 8.0.0.6 and ...) NOT-FOR-US: IBM CVE-2015-7398 (Cross-site scripting (XSS) vulnerability in IBM Emptoris Contract Mana ...) NOT-FOR-US: IBM CVE-2015-7397 (Multiple open redirect vulnerabilities in the Aurora starter store in ...) NOT-FOR-US: IBM CVE-2015-7396 (The Scheduler in IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 an ...) NOT-FOR-US: IBM CVE-2015-7395 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-7394 (The datastor kernel module in F5 BIG-IP Analytics, APM, ASM, Link Cont ...) NOT-FOR-US: BIG-IQ CVE-2015-7393 (dcoep in BIG-IP LTM, Analytics, APM, ASM, and Link Controller 11.2.0 t ...) NOT-FOR-US: BIG-IP CVE-2015-7392 (Heap-based buffer overflow in the parse_string function in libs/esl/sr ...) - freeswitch (bug #389591) CVE-2015-7391 (Multiple cross-site scripting (XSS) vulnerabilities in TestLink before ...) NOT-FOR-US: TestLink CVE-2015-7390 (SQL injection vulnerability in TestLink before 1.9.14 allows remote at ...) NOT-FOR-US: TestLink CVE-2015-7389 RESERVED CVE-2015-7388 RESERVED CVE-2015-7387 (ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allow ...) NOT-FOR-US: ZOHO ManageEngine EventLog Analyzer CVE-2015-7386 (Multiple cross-site scripting (XSS) vulnerabilities in includes/metabo ...) NOT-FOR-US: Gallery - Photo Albums - Portfolio plugin for WordPress CVE-2015-7385 (Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard befo ...) NOT-FOR-US: Open-Xchange CVE-2015-7384 (Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a den ...) - nodejs 4.1.1~dfsg-3 (bug #800580) [jessie] - nodejs (Vulnerability not present) NOTE: https://groups.google.com/forum/#!topic/nodejs-sec/fSNEQiuof6I CVE-2015-8076 (The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before 2.3. ...) - cyrus-imapd-2.4 2.4.17+nocaldav-2 [jessie] - cyrus-imapd-2.4 2.4.17+nocaldav-0~deb8u1 [wheezy] - cyrus-imapd-2.4 (Minor issue; can be fixed alone in a future DLA) NOTE: https://www.openwall.com/lists/oss-security/2015/09/29/2 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b CVE-2015-7383 (Multiple cross-site scripting (XSS) vulnerabilities in Web Reference D ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-7382 (SQL injection vulnerability in install.php in Web Reference Database ( ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-7381 (Multiple PHP remote file inclusion vulnerabilities in install.php in W ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-7380 REJECTED CVE-2015-7379 REJECTED CVE-2015-7378 (Panda Security URL Filtering before 4.3.1.9 uses a weak ACL for the "P ...) NOT-FOR-US: Panda Security CVE-2015-7377 (Cross-site scripting (XSS) vulnerability in pie-register/pie-register. ...) NOT-FOR-US: Pie Register plugin for WordPress CVE-2015-7376 RESERVED CVE-2015-7375 (Schneider Electric InduSoft Web Studio before 8.0 allows remote attack ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-7374 (The Remote Agent component in Schneider Electric InduSoft Web Studio b ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-7373 (Cross-site scripting (XSS) vulnerability in the "magic-macros" feature ...) NOT-FOR-US: Revive Adserver CVE-2015-7372 (Directory traversal vulnerability in delivery-dev/al.php in Revive Ads ...) NOT-FOR-US: Revive Adserver CVE-2015-7371 (Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, ...) NOT-FOR-US: Revive Adserver CVE-2015-7370 (Multiple cross-site scripting (XSS) vulnerabilities in open-flash-char ...) NOT-FOR-US: Revive Adserver CVE-2015-7369 (The default Flash cross-domain policy (crossdomain.xml) in Revive Adse ...) NOT-FOR-US: Revive Adserver CVE-2015-7368 (Revive Adserver before 3.2.2 does not send the appropriate Cache-Contr ...) NOT-FOR-US: Revive Adserver CVE-2015-7367 (Revive Adserver before 3.2.2 allows remote attackers to perform unspec ...) NOT-FOR-US: Revive Adserver CVE-2015-7366 (Multiple cross-site request forgery (CSRF) vulnerabilities in Revive A ...) NOT-FOR-US: Revive Adserver CVE-2015-7365 (Cross-site scripting (XSS) vulnerability in the plugin upgrade form in ...) NOT-FOR-US: Revive Adserver CVE-2015-7364 (The HTML_Quickform library, as used in Revive Adserver before 3.2.2, a ...) NOT-FOR-US: Revive Adserver CVE-2015-7363 (Cross-site scripting (XSS) vulnerability in the advanced settings page ...) NOT-FOR-US: Fortinet CVE-2015-7362 (Fortinet FortiClient Linux SSLVPN before build 2313, when installed on ...) NOT-FOR-US: Fortinet CVE-2015-7361 (FortiOS 5.2.3, when configured to use High Availability (HA) and the d ...) NOT-FOR-US: FortiOS CVE-2015-7360 (Multiple cross-site scripting (XSS) vulnerabilities in the Web User In ...) NOT-FOR-US: Fortinet CVE-2015-XXXX [DoS] - libemail-address-perl 1.908-1 [jessie] - libemail-address-perl (Minor issue vs. usability impact of module) [wheezy] - libemail-address-perl (Minor issue vs. usability impact of module) [squeeze] - libemail-address-perl 1.889-2+deb6u2 NOTE: workaround entry for DLA-320-1 until/if CVE assigned NOTE: For the denial of service issue as of 1.908 as mitigation default value NOTE: for nestable comments set to deep level 1. NOTE: https://github.com/rjbs/Email-Address/commit/3056b7da4fffbce9ad92f9799fffc587ab40303d NOTE: No CVE will be assigned for behaviour change between 1.907 and 1.908 NOTE: See CVE-2015-7686 for the underlying CWE-407 ("Algorithmic Complexity") NOTE: issue still present in 1.908 NOTE: https://www.openwall.com/lists/oss-security/2015/10/02/13 CVE-2015-7359 (The (1) IsVolumeAccessibleByCurrentUser and (2) MountDevice methods in ...) NOT-FOR-US: TrueCrypt CVE-2015-7358 (The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7. ...) NOT-FOR-US: TrueCrypt CVE-2015-7357 (Cross-site scripting (XSS) vulnerability in the uDesign (aka U-Design) ...) NOT-FOR-US: uDesign CVE-2015-7356 RESERVED CVE-2015-7355 RESERVED CVE-2015-7354 RESERVED CVE-2015-7353 RESERVED CVE-2015-7352 RESERVED CVE-2015-7351 RESERVED CVE-2015-7350 RESERVED CVE-2015-7349 (Cross-site scripting (XSS) vulnerability in the sample feedback.inc fi ...) NOT-FOR-US: Citrix CVE-2015-7348 (Cross-site scripting (XSS) vulnerability in zTree 3.5.19.1 and possibl ...) NOT-FOR-US: zTree CVE-2015-7347 (Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Cont ...) NOT-FOR-US: ZCMS CVE-2015-7346 (SQL injection vulnerability in ZCMS 1.1. ...) NOT-FOR-US: ZCMS CVE-2015-7345 RESERVED CVE-2015-7344 (HikaShop Joomla Component before 2.6.0 has XSS via an injected payload ...) NOT-FOR-US: Joomla addon CVE-2015-7343 (JNews Joomla Component before 8.5.0 has XSS via the mailingsearch para ...) NOT-FOR-US: Joomla addon CVE-2015-7342 (JNews Joomla Component before 8.5.0 allows SQL injection via upload th ...) NOT-FOR-US: Joomla addon CVE-2015-7341 (JNews Joomla Component before 8.5.0 allows arbitrary File Upload via S ...) NOT-FOR-US: Joomla addon CVE-2015-7340 (JEvents Joomla Component before 3.4.0 RC6 has SQL Injection via evid i ...) NOT-FOR-US: Joomla addon CVE-2015-7339 (JCE Joomla Component 2.5.0 to 2.5.2 allows arbitrary file upload via a ...) NOT-FOR-US: Joomla addon CVE-2015-7338 (SQL Injection exists in AcyMailing Joomla Component before 4.9.5 via e ...) NOT-FOR-US: Joomla addon CVE-2015-7336 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-7335 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-7334 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-7333 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-7332 RESERVED CVE-2015-7331 (The mcollective-puppet-agent plugin before 1.11.1 for Puppet allows re ...) - puppet (Only affects Puppet Enterprise) NOTE: https://puppet.com/security/cve/cve-2015-7331 CVE-2015-7330 (Puppet Enterprise 2015.3 before 2015.3.1 allows remote attackers to by ...) NOT-FOR-US: Puppet Enterprise (Puppet Communications Protocol broker) CVE-2015-7329 RESERVED CVE-2015-7328 (Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015. ...) - puppet (Only affects Puppet Enterprise) CVE-2015-7327 (Mozilla Firefox before 41.0 does not properly restrict the availabilit ...) - iceweasel (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-114/ CVE-2015-7326 (XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0. ...) NOT-FOR-US: Milton Webdav CVE-2015-7325 RESERVED CVE-2015-7324 (Multiple cross-site scripting (XSS) vulnerabilities in helpers/comment ...) NOT-FOR-US: StackIdeas Komento component for Joomla! CVE-2015-7323 (The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (form ...) NOT-FOR-US: Pulse Connect Secure CVE-2015-7322 (The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (form ...) NOT-FOR-US: Pulse Connect Secure CVE-2015-7321 RESERVED CVE-2015-7320 (Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointme ...) NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2015-7319 (SQL injection vulnerability in cpabc_appointments_admin_int_calendar_l ...) NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2015-7318 (Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers in ...) NOT-FOR-US: Plone CVE-2015-7317 (Kupu 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, a ...) NOT-FOR-US: Plone CVE-2015-7316 (Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, ...) NOT-FOR-US: Plone CVE-2015-7315 (Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, ...) NOT-FOR-US: Plone CVE-2015-7310 (McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/ ...) NOT-FOR-US: McAfee CVE-2015-7309 (The theme editor in Bolt before 2.2.5 does not check the file extensio ...) NOT-FOR-US: Bolt CMS CVE-2015-7314 (The Precious module in gollum before 4.0.1 allows remote attackers to ...) NOT-FOR-US: Gollum wiki CVE-2015-7308 RESERVED CVE-2015-7307 (Cross-site scripting (XSS) vulnerability in the CMS Updater module 7.x ...) NOT-FOR-US: CMS Updater module for Drupal CVE-2015-7306 (The CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal does not prop ...) NOT-FOR-US: CMS Updater module for Drupal CVE-2015-7305 (The Scald module 7.x-1.x before 7.x-1.5 for Drupal does not properly r ...) NOT-FOR-US: Scald module for Drupal CVE-2015-7304 (Cross-site scripting (XSS) vulnerability in the amoCRM module 7.x-1.x ...) NOT-FOR-US: amoCRM module for Drupal CVE-2015-7303 (Use-after-free vulnerability in the Update Manager service in Avira Ma ...) NOT-FOR-US: Avira CVE-2015-7302 RESERVED CVE-2015-7301 RESERVED CVE-2015-7300 RESERVED CVE-2015-7299 (SQL injection vulnerability in Runtime/Runtime/AjaxCall.ashx in K2 bla ...) NOT-FOR-US: K2 CVE-2015-7298 (ownCloud Desktop Client before 2.0.1, when compiled with a Qt release ...) - owncloud-client 2.0.0+dfsg-1 [jessie] - owncloud-client (not compiled with a Qt release greater than 5.3.x) NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-016 CVE-2015-7297 (SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote ...) NOT-FOR-US: Joomla! CVE-2015-XXXX [Privilege escalation via core-gui] - core-network (bug #799756) NOTE: http://pf.itd.nrl.navy.mil/pipermail/core-users/2015-August/001837.html CVE-2015-7313 (LibTIFF allows remote attackers to cause a denial of service (memory c ...) - tiff 4.0.7-1 (bug #800124) [jessie] - tiff (Minor issue) [wheezy] - tiff (Can't reproduce) [squeeze] - tiff (Can't reproduce the issue, file is rejected with "Integer overflow in TIFFVStripSize" and "cannot handle zero strip size.") - tiff3 [wheezy] - tiff3 (Can't reproduce the issue, file is rejected with "Integer overflow in TIFFVStripSize" and "cannot handle zero strip size.") NOTE: Test file here: https://marc.info/?l=oss-security&m=144284777006804&q=p6 NOTE: Reproduce with "ltrace -e realloc tiffdither /tmp/oom.tif /dev/null" NOTE: at the end you see "libtiff.so.5->realloc(0, 1636178024)" CVE-2015-7311 (libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly ...) {DSA-3414-1} - xen 4.8.0~rc3-1 (bug #823620) [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (Only affects 4.1 and later) NOTE: http://xenbits.xen.org/xsa/advisory-142.html CVE-2015-7296 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 an ...) NOT-FOR-US: Securifi Almond devices CVE-2015-7294 (ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP inj ...) NOT-FOR-US: NodeJS ldapauth NOTE: https://www.openwall.com/lists/oss-security/2015/09/18/4 NOTE: https://github.com/vesse/node-ldapauth-fork/issues/21 NOTE: https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4 NOTE: https://nodesecurity.io/advisories/19 CVE-2015-7293 (Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Man ...) NOT-FOR-US: Zope Management Interface CVE-2015-7292 (Stack-based buffer overflow in the havok_write function in drivers/sta ...) NOT-FOR-US: Amazon Fire OS CVE-2015-7291 (Cross-site request forgery (CSRF) vulnerability in adv_pwd_cgi in the ...) NOT-FOR-US: Arris CVE-2015-7290 (Cross-site scripting (XSS) vulnerability in adv_pwd_cgi in the web man ...) NOT-FOR-US: Arris CVE-2015-7289 (Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_10061 ...) NOT-FOR-US: Arris CVE-2015-7288 (CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 allo ...) NOT-FOR-US: CSL DualCom CVE-2015-7287 (CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 use ...) NOT-FOR-US: CSL DualCom CVE-2015-7286 (CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 rely ...) NOT-FOR-US: CSL DualCom CVE-2015-7285 (CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do n ...) NOT-FOR-US: CSL DualCom CVE-2015-7284 (Cross-site request forgery (CSRF) vulnerability on ZyXEL NBG-418N devi ...) NOT-FOR-US: ZyXEL CVE-2015-7283 (The web administration interface on ZyXEL NBG-418N devices with firmwa ...) NOT-FOR-US: ZyXEL CVE-2015-7282 (ReadyNet WRT300N-DD devices with firmware 1.0.26 use the same source p ...) NOT-FOR-US: ReadyNet CVE-2015-7281 (Cross-site request forgery (CSRF) vulnerability on ReadyNet WRT300N-DD ...) NOT-FOR-US: ReadyNet CVE-2015-7280 (The web administration interface on ReadyNet WRT300N-DD devices with f ...) NOT-FOR-US: ReadyNet CVE-2015-7279 (Amped Wireless R10000 devices with firmware 2.5.2.11 use an improper a ...) NOT-FOR-US: Amped Wireless CVE-2015-7278 (Cross-site request forgery (CSRF) vulnerability on Amped Wireless R100 ...) NOT-FOR-US: Amped Wireless CVE-2015-7277 (The web administration interface on Amped Wireless R10000 devices with ...) NOT-FOR-US: Amped Wireless CVE-2015-7276 (Technicolor C2000T and C2100T uses hard-coded cryptographic keys. ...) NOT-FOR-US: Technicolor CVE-2015-7275 (Dell Integrated Remote Access Controller (iDRAC) 6 before 2.85 and 7/8 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7274 (Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 allows ...) NOT-FOR-US: Dell iDRAC CVE-2015-7273 (Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7272 (Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7271 (Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7270 (Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7269 (Seagate ST500LT015 hard disk drives, when operating in eDrive mode on ...) NOT-FOR-US: Seagate ST500LT015 hard disk drives CVE-2015-7268 (Samsung 850 Pro and PM851 solid-state drives and Seagate ST500LT015 an ...) NOT-FOR-US: Samsung CVE-2015-7267 (Samsung 850 Pro and PM851 solid-state drives and Seagate ST500LT015 an ...) NOT-FOR-US: Samsung CVE-2015-7266 (The Interactive Advertising Bureau (IAB) OpenRTB 2.3 protocol implemen ...) NOT-FOR-US: Interactive Advertising Bureau (IAB) OpenRTB CVE-2015-7265 (Facebook Proxygen before 2015-11-09 mismanages HTTPMessage.request sta ...) NOT-FOR-US: Facebook Proxygen CVE-2015-7264 (The SPDY/2 codec in Facebook Proxygen before 2015-11-09 truncates a ce ...) NOT-FOR-US: Facebook Proxygen CVE-2015-7263 (The SPDY/2 codec in Facebook Proxygen before 2015-11-09 allows remote ...) NOT-FOR-US: Facebook Proxygen CVE-2015-7262 (QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Stat ...) NOT-FOR-US: QNAP CVE-2015-7261 (The FTP service in QNAP iArtist Lite before 1.4.54, as distributed wit ...) NOT-FOR-US: QNAP CVE-2015-7260 (Liebert MultiLink Automated Shutdown v4.2.4 allows local users to gain ...) NOT-FOR-US: Liebert MultiLink Automated Shutdown CVE-2015-7259 (ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_ ...) NOT-FOR-US: ZTE modems CVE-2015-7258 (ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_ ...) NOT-FOR-US: ZTE modems CVE-2015-7257 (ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_ ...) NOT-FOR-US: ZTE modems CVE-2015-7256 (ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI ac ...) NOT-FOR-US: ZyXEL CVE-2015-7255 (ZTE OX-330P, ZXHN H108N, W300V1.0.0S_ZRD_TR1_D68, HG110, GAN9.8T101A-B ...) NOT-FOR-US: ZTE CVE-2015-7254 (Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s ...) NOT-FOR-US: Huawei CVE-2015-7253 (The Web Console in Commvault Edge Server 10 R2 allows remote attackers ...) NOT-FOR-US: Commvault Edge Server CVE-2015-7252 (Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXH ...) NOT-FOR-US: ZTE router CVE-2015-7251 (ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a har ...) NOT-FOR-US: ZTE router CVE-2015-7250 (Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H ...) NOT-FOR-US: ZTE router CVE-2015-7249 (ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remo ...) NOT-FOR-US: ZTE router CVE-2015-7248 (ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remo ...) NOT-FOR-US: ZTE router CVE-2015-7247 (D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 ...) NOT-FOR-US: D-Link CVE-2015-7246 (D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 ...) NOT-FOR-US: D-Link CVE-2015-7245 (Directory traversal vulnerability in D-Link DVG-N5402SP with firmware ...) NOT-FOR-US: D-Link CVE-2015-7244 (The default configuration of the server in MobaXterm before 8.3 has a ...) NOT-FOR-US: MobaXterm CVE-2015-7243 (Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers ...) NOT-FOR-US: Boxoft CVE-2015-7242 (Cross-site scripting (XSS) vulnerability in the Push-Service-Mails fea ...) NOT-FOR-US: AVM CVE-2015-7241 (XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. ...) NOT-FOR-US: SAP Netweaver CVE-2015-7240 RESERVED CVE-2015-7239 (SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function ...) NOT-FOR-US: J2EE CVE-2015-7238 (The Secondary server in Threat Intelligence Exchange (TIE) before 1.2. ...) NOT-FOR-US: TIE CVE-2015-7237 (Directory traversal vulnerability in the remote log viewing functional ...) NOT-FOR-US: McAfee CVE-2015-7235 (Multiple SQL injection vulnerabilities in dex_reservations.php in the ...) NOT-FOR-US: CP Reservation Calendar plugin for WordPress CVE-2015-7234 (The OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontolog ...) NOT-FOR-US: OSF module for Drupal CVE-2015-7233 (Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x- ...) NOT-FOR-US: OSF module for Drupal CVE-2015-7232 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: OSF module for Drupal CVE-2015-7231 (The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drup ...) NOT-FOR-US: The Commerce Commonwealth module for Drupal CVE-2015-7230 (The Workbench Email module 7.x-3.x before 7.x-3.4 for Drupal allows re ...) NOT-FOR-US: Workbench Email module for Drupal CVE-2015-7229 (The Twitter module 6.x-5.x before 6.x-5.2, 7.x-5.x before 7.x-5.9, and ...) NOT-FOR-US: Twitter module for Drupal CVE-2015-7228 (The RESTful module 7.x-1.x before 7.x-1.3 for Drupal does not properly ...) NOT-FOR-US: RESTful module for Drupal CVE-2015-7227 (The Fieldable Panels Panes module 7.x-1.x before 7.x-1.7 for Drupal do ...) NOT-FOR-US: Fieldable Panels Panes module for Drupal CVE-2015-7226 (The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal chec ...) NOT-FOR-US: Administration Views module for Drupal CVE-2015-7224 (puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass ...) - puppet-module-puppetlabs-mysql 3.6.1-1 [jessie] - puppet-module-puppetlabs-mysql (Vulnerable code not present) CVE-2015-7295 (hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.4+dfsg-4 (bug #799452) [jessie] - qemu (Minor issue; can be fixed along in a later DSA) [wheezy] - qemu (Minor issue; can be fixed along in a later DSA) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [wheezy] - qemu-kvm (Minor issue; can be fixed along in a later DSA) [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://www.openwall.com/lists/oss-security/2015/09/18/5 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04729.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04730.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04731.html CVE-2015-7223 (The WebExtension APIs in Mozilla Firefox before 43.0 allow remote atta ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-148/ CVE-2015-7222 (Integer underflow in the Metadata::setData function in MetaData.cpp in ...) {DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-147/ NOTE: Probably specific to Android CVE-2015-7221 (Buffer overflow in the nsDeque::GrowCapacity function in xpcom/glue/ns ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-144/ CVE-2015-7220 (Buffer overflow in the XDRBuffer::grow function in js/src/vm/Xdr.cpp i ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-144/ CVE-2015-7219 (The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-142/ CVE-2015-7218 (The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-142/ CVE-2015-7217 (The gdk-pixbuf configuration in Mozilla Firefox before 43.0 on Linux G ...) - iceweasel (Iceweasel in Debian uses the system copy of gdk-pixbuf) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-143/ CVE-2015-7216 (The gdk-pixbuf configuration in Mozilla Firefox before 43.0 on Linux G ...) - iceweasel (Iceweasel in Debian uses the system copy of gdk-pixbuf) NOTE: Disabled in src:gdk-pixbuf in 2.31.7-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-143/ CVE-2015-7215 (The importScripts function in the Web Workers API implementation in Mo ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-140/ CVE-2015-7214 (Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow rem ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-149/ CVE-2015-7213 (Integer overflow in the MPEG4Extractor::readMetaData function in MPEG4 ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-146/ CVE-2015-7212 (Integer overflow in the mozilla::layers::BufferTextureClient::Allocate ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-139/ CVE-2015-7211 (Mozilla Firefox before 43.0 mishandles the # (number sign) character i ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-141/ CVE-2015-7210 (Use-after-free vulnerability in Mozilla Firefox before 43.0 and Firefo ...) {DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-138/ CVE-2015-7209 REJECTED CVE-2015-7208 (Mozilla Firefox before 43.0 stores cookies containing vertical tab cha ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-04/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-137/ CVE-2015-7207 (Mozilla Firefox before 43.0 does not properly restrict the availabilit ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-136/ CVE-2015-7206 REJECTED CVE-2015-7205 (Integer underflow in the RTPReceiverVideo::ParseRtpPacket function in ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-145/ CVE-2015-7204 (Mozilla Firefox before 43.0 does not properly store the properties of ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-135/ CVE-2015-7203 (Buffer overflow in the DirectWriteFontInfo::LoadFontFamilyData functio ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-144/ CVE-2015-7202 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/ CVE-2015-7201 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/ CVE-2015-7200 (The CryptoKey interface implementation in Mozilla Firefox before 42.0 ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ CVE-2015-7199 (The (1) AddWeightedPathSegLists and (2) SVGPathSegListSMILType::Interp ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ CVE-2015-7198 (Buffer overflow in the rx::TextureStorage11 class in ANGLE, as used in ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ CVE-2015-7197 (Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperl ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-132/ CVE-2015-7196 (Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4, when a J ...) {DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-130/ CVE-2015-7195 (The URL parsing implementation in Mozilla Firefox before 42.0 improper ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-129/ CVE-2015-7194 (Buffer underflow in libjar in Mozilla Firefox before 42.0 and Firefox ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-128/ CVE-2015-7193 (Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperl ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-127/ CVE-2015-7192 (The accessibility-tools feature in Mozilla Firefox before 42.0 on OS X ...) - iceweasel (Only affects Firefox on MacOS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-126/ CVE-2015-7191 (Mozilla Firefox before 42.0 on Android improperly restricts URL string ...) - iceweasel (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-125/ CVE-2015-7190 (The Search feature in Mozilla Firefox before 42.0 on Android through 4 ...) - iceweasel (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-124/ CVE-2015-7189 (Race condition in the JPEGEncoder function in Mozilla Firefox before 4 ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-123/ CVE-2015-7188 (Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow rem ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-122/ CVE-2015-7187 (The Add-on SDK in Mozilla Firefox before 42.0 misinterprets a "script: ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-121/ CVE-2015-7186 (Mozilla Firefox before 42.0 on Android allows user-assisted remote att ...) - iceweasel (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-120/ CVE-2015-7185 (Mozilla Firefox before 42.0 on Android does not ensure that the addres ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-119/ CVE-2015-7184 (The fetch API implementation in Mozilla Firefox before 41.0.2 does not ...) - iceweasel (Affects only Firefox later than 38) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/ CVE-2015-7183 (Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape P ...) {DSA-3406-1 DSA-3393-1 DLA-344-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - nspr 2:4.10.10-1 - icedove 31.7.0-1~deb8u1 [squeeze] - icedove - virtualbox-ose [squeeze] - virtualbox-ose (No longer supported in Squeeze LTS) - virtualbox 5.0.10-dfsg-1 [jessie] - virtualbox 4.3.36-dfsg-1+deb8u1 [wheezy] - virtualbox (Minor issue, will be fixed when included in next CPU) NOTE: VirtualBox fixed: 4.0.36, 4.1.44, 4.2.36, 4.3.34, 5.0.10 NOTE: http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c NOTE: http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ NOTE: Icedove, virtualbox(-ose)? have embedded copies of nspr. NOTE: Fixes impact macros PL_ARENA_ALLOCATE and PL_ARENA_GROW, other packages need to be recompiled: NOTE: jss (on wheezy/jessie) according to codesearch.debian.net CVE-2015-7182 (Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Sec ...) {DSA-3688-1 DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1} - nss 2:3.20.1-1 NOTE: http://hg.mozilla.org/projects/nss/rev/4dc247276e58 NOTE: http://hg.mozilla.org/projects/nss/rev/534aca7a5bca NOTE: http://hg.mozilla.org/projects/nss/rev/b4feb2cb0ed6 - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ NOTE: Patch for wheezy/jessie: https://lists.debian.org/debian-lts/2015/11/msg00098.html CVE-2015-7181 (The sec_asn1d_parse_leaf function in Mozilla Network Security Services ...) {DSA-3688-1 DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1} - nss 2:3.20.1-1 NOTE: http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb NOTE: http://hg.mozilla.org/projects/nss/rev/25cb033147fd - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ NOTE: Patch for wheezy/jessie: https://lists.debian.org/debian-lts/2015/11/msg00098.html CVE-2015-7180 (The ReadbackResultWriterD3D11::Run function in Mozilla Firefox before ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7179 (The VertexBufferInterface::reserveVertexSpace function in libGLES in A ...) - iceweasel (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-113/ CVE-2015-7178 (The ProgramBinary::linkAttributes function in libGLES in ANGLE, as use ...) - iceweasel (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-113/ CVE-2015-7177 (The InitTextures function in Mozilla Firefox before 41.0 and Firefox E ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7176 (The AnimationThread function in Mozilla Firefox before 41.0 and Firefo ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7175 (The XULContentSinkImpl::AddText function in Mozilla Firefox before 41. ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7174 (The nsAttrAndChildArray::GrowBy function in Mozilla Firefox before 41. ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7173 REJECTED CVE-2015-7172 REJECTED CVE-2015-7171 REJECTED CVE-2015-7170 REJECTED CVE-2015-7169 REJECTED CVE-2015-7168 REJECTED CVE-2015-7167 REJECTED CVE-2015-7166 REJECTED CVE-2015-7165 REJECTED CVE-2015-7164 REJECTED CVE-2015-7163 REJECTED CVE-2015-7162 REJECTED CVE-2015-7161 REJECTED CVE-2015-7160 REJECTED CVE-2015-7159 REJECTED CVE-2015-7158 REJECTED CVE-2015-7157 REJECTED CVE-2015-7156 REJECTED CVE-2015-7155 REJECTED CVE-2015-7154 REJECTED CVE-2015-7153 REJECTED CVE-2015-7152 REJECTED CVE-2015-7151 REJECTED CVE-2015-7150 REJECTED CVE-2015-7149 REJECTED CVE-2015-7148 REJECTED CVE-2015-7147 REJECTED CVE-2015-7146 REJECTED CVE-2015-7145 REJECTED CVE-2015-7144 REJECTED CVE-2015-7143 REJECTED CVE-2015-7142 REJECTED CVE-2015-7141 REJECTED CVE-2015-7140 REJECTED CVE-2015-7139 REJECTED CVE-2015-7138 REJECTED CVE-2015-7137 REJECTED CVE-2015-7136 REJECTED CVE-2015-7135 REJECTED CVE-2015-7134 REJECTED CVE-2015-7133 REJECTED CVE-2015-7132 REJECTED CVE-2015-7131 REJECTED CVE-2015-7130 REJECTED CVE-2015-7129 REJECTED CVE-2015-7128 REJECTED CVE-2015-7127 REJECTED CVE-2015-7126 REJECTED CVE-2015-7125 REJECTED CVE-2015-7124 REJECTED CVE-2015-7123 REJECTED CVE-2015-7122 REJECTED CVE-2015-7121 REJECTED CVE-2015-7120 REJECTED CVE-2015-7119 REJECTED CVE-2015-7118 RESERVED CVE-2015-7117 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7116 (libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 CVE-2015-7115 (libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 CVE-2015-7114 REJECTED CVE-2015-7113 (The LaunchServices component in Apple iOS before 9.2 and watchOS befor ...) NOT-FOR-US: Apple CVE-2015-7112 (The IOHIDFamily API in Apple iOS before 9.2, OS X before 10.11.2, tvOS ...) NOT-FOR-US: Apple CVE-2015-7111 (The IOHIDFamily API in Apple iOS before 9.2, OS X before 10.11.2, tvOS ...) NOT-FOR-US: Apple CVE-2015-7110 (The Disk Images component in Apple OS X before 10.11.2 and tvOS before ...) NOT-FOR-US: Apple CVE-2015-7109 (IOAcceleratorFamily in Apple OS X before 10.11.2 and tvOS before 9.1 a ...) NOT-FOR-US: Apple CVE-2015-7108 (The Bluetooth HCI interface in Apple OS X before 10.11.2 allows local ...) NOT-FOR-US: Apple CVE-2015-7107 (QuickLook in Apple iOS before 9.2 and OS X before 10.11.2 allows remot ...) NOT-FOR-US: Apple CVE-2015-7106 (The Intel Graphics Driver component in Apple OS X before 10.11.2 allow ...) NOT-FOR-US: Apple CVE-2015-7105 (CoreGraphics in Apple iOS before 9.2, OS X before 10.11.2, tvOS before ...) NOT-FOR-US: Apple CVE-2015-7104 (WebKit in Apple Safari before 9.0.2 and tvOS before 9.1 allows remote ...) NOT-FOR-US: Webkit as used by Apple CVE-2015-7103 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7102 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7101 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7100 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7099 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7098 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) - webkit2gtk 2.10.5-1 (unimportant) CVE-2015-7097 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7096 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) - webkit2gtk 2.10.5-1 (unimportant) CVE-2015-7095 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7094 (CFNetwork HTTPProtocol in Apple iOS before 9.2 and OS X before 10.11.2 ...) NOT-FOR-US: Apple CVE-2015-7093 (Safari in Apple iOS before 9.2 allows remote attackers to spoof a URL ...) NOT-FOR-US: Apple CVE-2015-7092 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7091 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7090 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7089 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7088 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7087 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7086 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7085 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7084 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7083 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7082 (Multiple unspecified vulnerabilities in Git before 2.5.4, as used in A ...) NOT-FOR-US: Apple-specific git extension for Xcode CVE-2015-7081 (iBooks in Apple iOS before 9.2 and OS X before 10.11.2 allows remote a ...) NOT-FOR-US: Apple CVE-2015-7080 (Siri in Apple iOS before 9.2 allows physically proximate attackers to ...) NOT-FOR-US: Apple CVE-2015-7079 (dyld in Apple iOS before 9.2 and tvOS before 9.1 mishandles segment va ...) NOT-FOR-US: Apple CVE-2015-7078 (Use-after-free vulnerability in Hypervisor in Apple OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-7077 (The Intel Graphics Driver component in Apple OS X before 10.11.2 allow ...) NOT-FOR-US: Apple CVE-2015-7076 (The Intel Graphics Driver component in Apple OS X before 10.11.2 allow ...) NOT-FOR-US: Apple CVE-2015-7075 (CoreMedia Playback in Apple iOS before 9.2, OS X before 10.11.2, tvOS ...) NOT-FOR-US: Apple CVE-2015-7074 (CoreMedia Playback in Apple iOS before 9.2, OS X before 10.11.2, and t ...) NOT-FOR-US: Apple CVE-2015-7073 (Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchO ...) NOT-FOR-US: Apple CVE-2015-7072 (dyld in Apple iOS before 9.2, tvOS before 9.1, and watchOS before 2.1 ...) NOT-FOR-US: Apple CVE-2015-7071 (The File Bookmark component in Apple OS X before 10.11.2 allows attack ...) NOT-FOR-US: Apple CVE-2015-7070 (Mobile Replayer in GPUTools Framework in Apple iOS before 9.2 allows a ...) NOT-FOR-US: Apple CVE-2015-7069 (Mobile Replayer in GPUTools Framework in Apple iOS before 9.2 allows a ...) NOT-FOR-US: Apple CVE-2015-7068 (IOKit SCSI in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7067 (IOThunderboltFamily in Apple OS X before 10.11.2 allows local users to ...) NOT-FOR-US: Apple CVE-2015-7066 (OpenGL in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, ...) NOT-FOR-US: Apple CVE-2015-7065 (OpenGL in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7064 (OpenGL in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, ...) NOT-FOR-US: Apple CVE-2015-7063 (The kernel loader in EFI in Apple OS X before 10.11.2 allows local use ...) NOT-FOR-US: Apple CVE-2015-7062 (Apple OS X before 10.11.2 and tvOS before 9.1 allow local users to byp ...) NOT-FOR-US: Apple CVE-2015-7061 (The ASN.1 decoder in Apple OS X before 10.11.2, tvOS before 9.1, and w ...) NOT-FOR-US: Apple CVE-2015-7060 (The ASN.1 decoder in Apple OS X before 10.11.2, tvOS before 9.1, and w ...) NOT-FOR-US: Apple CVE-2015-7059 (The ASN.1 decoder in Apple OS X before 10.11.2, tvOS before 9.1, and w ...) NOT-FOR-US: Apple CVE-2015-7058 (Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 imprope ...) NOT-FOR-US: Apple CVE-2015-7057 (otools in Apple Xcode before 7.2 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-7056 (IDE SCM in Apple Xcode before 7.2 does not recognize .gitignore files, ...) NOT-FOR-US: Apple CVE-2015-7055 (AppleMobileFileIntegrity in Apple iOS before 9.2 and tvOS before 9.1 d ...) NOT-FOR-US: Apple CVE-2015-7054 (zlib in the Compression component in Apple iOS before 9.2, OS X before ...) NOT-FOR-US: Apple CVE-2015-7053 (ImageIO in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, ...) NOT-FOR-US: Apple CVE-2015-7052 (kext tools in Apple OS X before 10.11.2 mishandles kernel-extension lo ...) NOT-FOR-US: Apple CVE-2015-7051 (MobileStorageMounter in Apple iOS before 9.2 and tvOS before 9.1 misha ...) NOT-FOR-US: Apple CVE-2015-7050 (WebKit in Apple iOS before 9.2 and Safari before 9.0.2 misparses conte ...) NOT-FOR-US: Apple CVE-2015-7049 (otools in Apple Xcode before 7.2 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-7048 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7047 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7046 (The Sandbox feature in xnu in Apple iOS before 9.2, OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-7045 (Keychain Access in Apple OS X before 10.11.2 and tvOS before 9.1 impro ...) NOT-FOR-US: Apple CVE-2015-7044 (The System Integrity Protection feature in Apple OS X before 10.11.2 m ...) NOT-FOR-US: Apple CVE-2015-7043 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7042 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7041 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7040 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7039 (Buffer overflow in libc in Apple iOS before 9.2, OS X before 10.11.2, ...) NOT-FOR-US: Apple CVE-2015-7038 (Buffer overflow in libc in Apple iOS before 9.2, OS X before 10.11.2, ...) NOT-FOR-US: Apple CVE-2015-7037 (Directory traversal vulnerability in Mobile Backup in Photos in Apple ...) NOT-FOR-US: Apple CVE-2015-7036 (The fts3_tokenizer function in SQLite, as used in Apple iOS before 8.4 ...) NOT-FOR-US: Apple CVE-2015-7035 (Apple Mac EFI before 2015-002, as used in OS X before 10.11.1 and othe ...) NOT-FOR-US: Apple CVE-2015-7034 (The Apple iWork application before 2.6 for iOS and Apple Pages before ...) NOT-FOR-US: Apple CVE-2015-7033 (The Apple iWork application before 2.6 for iOS, Apple Keynote before 6 ...) NOT-FOR-US: Apple CVE-2015-7032 (The Apple iWork application before 2.6 for iOS, Apple Keynote before 6 ...) NOT-FOR-US: Apple CVE-2015-7031 (The Web Service component in Apple OS X Server before 5.0.15 omits an ...) NOT-FOR-US: Apple CVE-2015-7030 (The Swift implementation in Apple Xcode before 7.1 mishandles type con ...) NOT-FOR-US: Apple CVE-2015-7029 (Apple AirPort Base Station Firmware before 7.6.7 and 7.7.x before 7.7. ...) NOT-FOR-US: Apple CVE-2015-7028 REJECTED CVE-2015-7027 REJECTED CVE-2015-7026 REJECTED CVE-2015-7025 REJECTED CVE-2015-7024 (Untrusted search path vulnerability in Apple OS X before 10.11.1 allow ...) NOT-FOR-US: Apple CVE-2015-7023 (CFNetwork in Apple iOS before 9.1 and OS X before 10.11.1 does not pro ...) NOT-FOR-US: Apple CVE-2015-7022 (The Telephony subsystem in Apple iOS before 9.1 allows attackers to ob ...) NOT-FOR-US: Apple CVE-2015-7021 (The Graphics Drivers subsystem in Apple OS X before 10.11.1 allows loc ...) NOT-FOR-US: Apple CVE-2015-7020 (The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X befo ...) NOT-FOR-US: Apple CVE-2015-7019 (The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X befo ...) NOT-FOR-US: Apple CVE-2015-7018 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-7017 (CoreText in Apple iOS before 9.1, OS X before 10.11.1, and iTunes befo ...) NOT-FOR-US: Apple CVE-2015-7016 (The MCX Application Restrictions component in Apple OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-7015 (Heap-based buffer overflow in the DNS client library in configd in App ...) NOT-FOR-US: Apple CVE-2015-7014 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-7013 (WebKit, as used in Apple Safari before 9.0.1 and iTunes before 12.3.1, ...) NOT-FOR-US: Webkit as used by Apple CVE-2015-7012 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-7011 (WebKit, as used in Apple Safari before 9.0.1 and iTunes before 12.3.1, ...) NOT-FOR-US: Webkit as used by Apple CVE-2015-7010 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-7009 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-7008 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-7007 (Script Editor in Apple OS X before 10.11.1 allows remote attackers to ...) NOT-FOR-US: Apple CVE-2015-7006 (Directory traversal vulnerability in the BOM (aka Bill of Materials) c ...) NOT-FOR-US: Apple CVE-2015-7005 (WebKit, as used in Apple iOS before 9.1, allows remote attackers to ex ...) NOT-FOR-US: Apple CVE-2015-7004 (The kernel in Apple iOS before 9.1 allows attackers to cause a denial ...) NOT-FOR-US: Apple CVE-2015-7003 (coreaudiod in Audio in Apple OS X before 10.11.1 does not initialize a ...) NOT-FOR-US: Apple CVE-2015-7002 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-7001 (AppSandbox in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7000 (Notification Center in Apple iOS before 9.1 mishandles changes to "Sho ...) NOT-FOR-US: Apple CVE-2015-6999 (The OCSP client in Apple iOS before 9.1 does not check for certificate ...) NOT-FOR-US: Apple CVE-2015-6998 REJECTED CVE-2015-6997 (The X.509 certificate-trust implementation in Apple iOS before 9.1 doe ...) NOT-FOR-US: Apple CVE-2015-6996 (IOAcceleratorFamily in Apple iOS before 9.1, OS X before 10.11.1, and ...) NOT-FOR-US: Apple CVE-2015-6995 (The Disk Images component in Apple iOS before 9.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-6994 (The kernel in Apple iOS before 9.1 and OS X before 10.11.1 mishandles ...) NOT-FOR-US: Apple CVE-2015-6993 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6992 (CoreText in Apple iOS before 9.1, OS X before 10.11.1, and iTunes befo ...) NOT-FOR-US: Apple CVE-2015-6991 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6990 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6989 (Grand Central Dispatch in Apple iOS before 9.1, OS X before 10.11.1, a ...) NOT-FOR-US: Apple CVE-2015-6988 (The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not in ...) NOT-FOR-US: Apple CVE-2015-6987 (The File Bookmark component in Apple OS X before 10.11.1 allows local ...) NOT-FOR-US: Apple CVE-2015-6986 (com.apple.driver.AppleVXD393 in the Graphics Driver subsystem in Apple ...) NOT-FOR-US: Apple CVE-2015-6985 (Apple Type Services (ATS) in Apple OS X before 10.11.1 allows remote a ...) NOT-FOR-US: Apple CVE-2015-6984 (libarchive in Apple OS X before 10.11.1 allows attackers to write to a ...) NOT-FOR-US: Apple CVE-2015-6983 (Double free vulnerability in Apple iOS before 9.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-6982 (WebKit, as used in Apple iOS before 9.1, allows remote attackers to ex ...) NOT-FOR-US: Apple CVE-2015-6981 (WebKit, as used in Apple iOS before 9.1, allows remote attackers to ex ...) NOT-FOR-US: Apple CVE-2015-6980 (Directory Utility in Apple OS X before 10.11.1 mishandles authenticati ...) NOT-FOR-US: Apple CVE-2015-6979 (GasGauge in Apple iOS before 9.1 allows attackers to execute arbitrary ...) NOT-FOR-US: Apple CVE-2015-6978 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6977 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6976 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6975 (CoreText in Apple iOS before 9.1, OS X before 10.11.1, and iTunes befo ...) NOT-FOR-US: Apple CVE-2015-6974 (IOHIDFamily in Apple iOS before 9.1, OS X before 10.11.1, and watchOS ...) NOT-FOR-US: Apple CVE-2015-6973 (Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite R ...) NOT-FOR-US: Openfire CVE-2015-6972 (Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime ...) NOT-FOR-US: Openfire CVE-2015-6971 (Lenovo System Update (formerly ThinkVantage System Update) before 5.07 ...) NOT-FOR-US: Lenovo CVE-2015-6970 (The web interface in Bosch Security Systems NBN-498 Dinion2X Day/Night ...) NOT-FOR-US: Bosch CVE-2015-6969 (Cross-site scripting (XSS) vulnerability in js/2k11.min.js in the 2k11 ...) - serendipity CVE-2015-6968 (Multiple incomplete blacklist vulnerabilities in the serendipity_isAct ...) - serendipity CVE-2015-6967 (Unrestricted file upload vulnerability in the My Image plugin in Nibbl ...) NOT-FOR-US: Nibbleblog CVE-2015-6966 (Multiple cross-site request forgery (CSRF) vulnerabilities in Nibblebl ...) NOT-FOR-US: Nibbleblog CVE-2015-6965 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Cont ...) NOT-FOR-US: Contact Form Generator plugin for WordPress CVE-2015-6964 RESERVED CVE-2015-6963 REJECTED CVE-2015-6962 (SQL injection vulnerability in the web application in Farol allows rem ...) NOT-FOR-US: Farol CVE-2015-7236 (Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in r ...) {DSA-3366-1 DLA-311-1} - rpcbind 0.2.1-6.1 (bug #799307) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=946204 NOTE: http://www.spinics.net/lists/linux-nfs/msg53045.html NOTE: https://www.openwall.com/lists/oss-security/2015/09/17/1 CVE-2015-6961 (Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows ...) - web2py 2.12.3-1 [jessie] - web2py (Minor issue) [wheezy] - web2py (Minor issue) NOTE: Fixed by: https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0 (R-2.12.1) NOTE: https://github.com/web2py/web2py/issues/731 CVE-2015-6960 (edx-platform before 2015-09-17 allows XSS via a team name. ...) NOT-FOR-US: Open edX CVE-2015-6959 (Cross-site scripting (XSS) vulnerability in Vindula 1.9. ...) NOT-FOR-US: Vindula CVE-2015-6958 RESERVED CVE-2015-6957 RESERVED CVE-2015-6956 RESERVED CVE-2015-6955 RESERVED CVE-2015-6954 RESERVED CVE-2015-6953 RESERVED CVE-2015-6952 RESERVED CVE-2015-6951 RESERVED CVE-2015-6950 RESERVED CVE-2015-6949 (Stack-based buffer overflow in the ASUS TM-AC1900 router allows remote ...) NOT-FOR-US: ASUS TM-AC1900 router CVE-2015-6948 (Heap-based buffer overflow in the Microsoft Word document conversion f ...) NOT-FOR-US: Corel WordPerfect CVE-2015-6947 REJECTED CVE-2015-6946 (Multiple stack-based buffer overflows in the Reprise License Manager s ...) NOT-FOR-US: Borland AccuRev CVE-2015-6945 (Cross-site scripting (XSS) vulnerability in JSP/MySQL Administrador We ...) NOT-FOR-US: JSP/MySQL Administrador Web 1 CVE-2015-6944 (Cross-site request forgery (CSRF) vulnerability in JSP/MySQL Administr ...) NOT-FOR-US: JSP/MySQL Administrador Web 1 CVE-2015-6943 (SQL injection vulnerability in the serendipity_checkCommentToken funct ...) - serendipity CVE-2015-6942 (Cross-site scripting (XSS) vulnerability in Coremail XT3.0 allows remo ...) NOT-FOR-US: Coremail CVE-2015-6941 (win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before ...) - salt 2015.8.1+ds-1 [jessie] - salt (Minor issue) NOTE: https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html NOTE: https://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710 CVE-2015-6940 (The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x ...) NOT-FOR-US: Pentaho CVE-2015-7989 (Cross-site scripting (XSS) vulnerability in the user list table in Wor ...) {DSA-3383-1 DSA-3375-1 DLA-321-1} - wordpress 4.3.1+dfsg-1 (bug #799140) NOTE: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a NOTE: https://www.openwall.com/lists/oss-security/2015/10/26/7 CVE-2015-7337 (The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x ...) - ipython (Affects versions 3.0 to 3.2.1) NOTE: https://www.openwall.com/lists/oss-security/2015/09/16/3 CVE-2015-7940 (The Bouncy Castle Java library before 1.51 does not validate a point i ...) {DSA-3417-1 DLA-361-1} - bouncycastle 1.51-1 (bug #802671) NOTE: https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html NOTE: Commits: https://github.com/bcgit/bc-java/commit/5cb2f05 NOTE: Possibly needed to include as well: https://github.com/bcgit/bc-java/commit/e25e94a NOTE: Peter Dettman offered to assist if backporting fails and to review the result. CVE-2015-6939 (Cross-site scripting (XSS) vulnerability in the login module in Joomla ...) NOT-FOR-US: Joomla! CVE-2015-6936 RESERVED CVE-2015-6935 REJECTED CVE-2015-6934 (Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCen ...) NOT-FOR-US: VMware CVE-2015-6933 (The VMware Tools HGFS (aka Shared Folders) implementation in VMware Wo ...) NOT-FOR-US: VMware CVE-2015-6932 (VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify ...) NOT-FOR-US: VMware CVE-2015-6931 (Cross-site scripting (XSS) vulnerability in the vSphere Web Client in ...) NOT-FOR-US: VMware CVE-2015-8871 (Use-after-free vulnerability in the opj_j2k_write_mco function in j2k. ...) {DSA-3665-1} - openjpeg2 2.1.1-1 (bug #800149) - openjpeg (Vulnerable code not present; opj_j2k_write_mco function) NOTE: https://github.com/uclouvain/openjpeg/commit/940100c28ae28931722290794889cf84a92c5f6f NOTE: https://github.com/uclouvain/openjpeg/issues/563 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1263359 NOTE: https://www.openwall.com/lists/oss-security/2015/09/15/4 CVE-2015-6930 RESERVED CVE-2015-6929 (Multiple cross-site scripting (XSS) vulnerabilities in Nokia Networks ...) NOT-FOR-US: Nokia CVE-2015-6928 (classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x befo ...) NOT-FOR-US: CubeCart CVE-2015-6926 (The OpenID Single Sign-On authentication functionality in OXID eShop b ...) NOT-FOR-US: OXID eShop CVE-2015-6925 (wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to caus ...) - wolfssl 3.9.10+dfsg-1 (bug #801120) CVE-2015-6924 RESERVED CVE-2015-6923 (The ndvbs module in VBox Communications Satellite Express Protocol 2.3 ...) NOT-FOR-US: VBox Communications Satellite Express Protocol CVE-2015-6922 (Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x bef ...) NOT-FOR-US: Kaseya Virtual System Administrator CVE-2015-6921 (Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab m ...) NOT-FOR-US: Zendesk Feedback Tab for Drupal CVE-2015-6920 (Cross-site scripting (XSS) vulnerability in js/window.php in the sourc ...) NOT-FOR-US: sourceAFRICA plugin for WordPress CVE-2015-6919 (Cross-site scripting (XSS) vulnerability in the googleSearch (CSE) (co ...) NOT-FOR-US: googleSearch (CSE) component for Joomla! CVE-2015-6918 (salt before 2015.5.5 leaks git usernames and passwords to the log. ...) - salt 2015.8.1+ds-1 (bug #803182) [jessie] - salt (Minor issue) NOTE: https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a NOTE: Fix https://github.com/saltstack/salt/pull/26486 builds on NOTE: https://github.com/saltstack/salt/pull/26483 CVE-2015-6917 RESERVED CVE-2015-6916 RESERVED CVE-2015-6915 (SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 ...) NOT-FOR-US: Montala Limited ResourceSpace CVE-2015-6914 (Absolute path traversal vulnerability in SiteFactory CMS 5.5.9 allows ...) NOT-FOR-US: SiteFactory CMS CVE-2015-6913 (Cross-site scripting (XSS) vulnerability in the "Create download task ...) NOT-FOR-US: Synology Download Station CVE-2015-6912 (Synology Video Station before 1.5-0763 allows remote attackers to exec ...) NOT-FOR-US: Synology Video Station CVE-2015-6911 (SQL injection vulnerability in Synology Video Station before 1.5-0763 ...) NOT-FOR-US: Synology Video Station CVE-2015-6910 (SQL injection vulnerability in Synology Video Station before 1.5-0757 ...) NOT-FOR-US: Synology Video Station CVE-2015-6909 (Cross-site scripting (XSS) vulnerability in the "Create download task ...) NOT-FOR-US: Synology Download Station CVE-2015-6907 REJECTED CVE-2015-6906 REJECTED CVE-2015-6905 REJECTED CVE-2015-6904 REJECTED CVE-2015-6903 REJECTED CVE-2015-6902 REJECTED CVE-2015-6901 REJECTED CVE-2015-6900 REJECTED CVE-2015-6899 REJECTED CVE-2015-6898 REJECTED CVE-2015-6897 REJECTED CVE-2015-6896 REJECTED CVE-2015-6895 REJECTED CVE-2015-6894 REJECTED CVE-2015-6893 REJECTED CVE-2015-6892 REJECTED CVE-2015-6891 REJECTED CVE-2015-6890 REJECTED CVE-2015-6889 REJECTED CVE-2015-6888 REJECTED CVE-2015-6887 REJECTED CVE-2015-6886 REJECTED CVE-2015-6885 REJECTED CVE-2015-6884 REJECTED CVE-2015-6883 REJECTED CVE-2015-6882 REJECTED CVE-2015-6881 REJECTED CVE-2015-6880 REJECTED CVE-2015-6879 REJECTED CVE-2015-6878 REJECTED CVE-2015-6877 REJECTED CVE-2015-6876 REJECTED CVE-2015-6875 REJECTED CVE-2015-6874 REJECTED CVE-2015-6873 REJECTED CVE-2015-6872 REJECTED CVE-2015-6871 REJECTED CVE-2015-6870 REJECTED CVE-2015-6869 REJECTED CVE-2015-6868 REJECTED CVE-2015-6867 (The vertica-udx-zygote process in HP Vertica 7.1.1 UDx does not requir ...) NOT-FOR-US: HP Vertica CVE-2015-6866 REJECTED CVE-2015-6865 REJECTED CVE-2015-6864 (HPE ArcSight Logger before 6.1P1 allows remote authenticated users to ...) NOT-FOR-US: HPE ArcSight Logger CVE-2015-6863 (HPE ArcSight Logger before 6.1P1 allows remote attackers to execute ar ...) NOT-FOR-US: HPE ArcSight Logger CVE-2015-6862 (HPE UCMDB Browser before 4.02 allows remote attackers to obtain sensit ...) NOT-FOR-US: HPE UCMDB Browser CVE-2015-6861 (HPE Helion Eucalyptus 3.4.0 through 4.2.0 allows remote authenticated ...) NOT-FOR-US: HPE Helion Eucalyptus CVE-2015-6860 (HPE Network Switches with software 15.16.x and 15.17.x allow local use ...) NOT-FOR-US: HPE Network Switches CVE-2015-6859 (HPE Network Switches with software 15.16.x and 15.17.x allow local use ...) NOT-FOR-US: HPE Network Switches CVE-2015-6858 (HP Insight Control server provisioning before 7.5.0 RabbitMQ allows re ...) NOT-FOR-US: HP Insight Control CVE-2015-6857 (Unspecified vulnerability in Virtual Table Server (VTS) in HP LoadRunn ...) NOT-FOR-US: HP Performance Center CVE-2015-6856 (Dell Pre-Boot Authentication Driver (PBADRV.sys) 1.0.1.5 allows local ...) NOT-FOR-US: Dell CVE-2015-6854 (The non-Domino web agents in CA Single Sign-On (aka SSO, formerly Site ...) NOT-FOR-US: CA Single Sign-On CVE-2015-6853 (The Domino web agent in CA Single Sign-On (aka SSO, formerly SiteMinde ...) NOT-FOR-US: CA Single Sign-On CVE-2015-6852 (Directory traversal vulnerability in the API in EMC Secure Remote Serv ...) NOT-FOR-US: EMC Secure Remote Services Virtual Edition CVE-2015-6851 (EMC RSA SecurID Web Agent before 8.0 allows physically proximate attac ...) NOT-FOR-US: RSA SecurID CVE-2015-6850 (EMC VPLEX GeoSynchrony 5.4 SP1 before P3 and 5.5 before Patch 1 has a ...) NOT-FOR-US: EMC VPLEX CVE-2015-6849 (EMC NetWorker before 8.0.4.5, 8.1.x before 8.1.3.6, 8.2.x before 8.2.2 ...) NOT-FOR-US: EMC CVE-2015-6848 (EMC Isilon OneFS 7.1.x before 7.1.1.5, 7.2.0.x before 7.2.0.3, and 7.2 ...) NOT-FOR-US: EMC CVE-2015-6847 (The default configuration of EMC VPLEX GeoSynchrony 5.4 SP1 before P3 ...) NOT-FOR-US: EMC VPLEX CVE-2015-6846 (EMC SourceOne Email Supervisor before 7.2 uses hardcoded encryption ke ...) NOT-FOR-US: EMC SourceOne CVE-2015-6845 (EMC SourceOne Email Supervisor before 7.2 does not properly employ ran ...) NOT-FOR-US: EMC SourceOne CVE-2015-6844 (Cross-site scripting (XSS) vulnerability in Reviewer in EMC SourceOne ...) NOT-FOR-US: EMC SourceOne CVE-2015-6843 (Reviewer in EMC SourceOne Email Supervisor before 7.2 does not properl ...) NOT-FOR-US: EMC SourceOne CVE-2015-6842 RESERVED CVE-2015-6841 RESERVED CVE-2015-6840 RESERVED CVE-2015-6937 (The __rds_conn_create function in net/rds/connection.c in the Linux ke ...) {DSA-3364-1 DLA-310-1} - linux 4.2.1-1 - linux-2.6 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=74e98eb085889b0d2d4908f59f6e00026063014f (v4.3-rc1) CVE-2015-6908 (The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 ...) {DSA-3356-1 DLA-309-1} - openldap 2.4.42+dfsg-2 (bug #798622) NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 NOTE: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240;selectid=8240 NOTE: https://www.openwall.com/lists/oss-security/2015/09/11/2 CVE-2015-7312 (Multiple race conditions in the Advanced Union Filesystem (aufs) aufs3 ...) - linux 4.2.1-1 (bug #796036) [jessie] - linux 3.16.7-ckt11-1+deb8u4 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2015/09/10/3 NOTE: http://sourceforge.net/p/aufs/mailman/message/34449209/ NOTE: For Linux kernel with aufs aufs3-mmap.patch or aufs4-mmap.patch mmap patch CVE-2015-6855 (hw/ide/core.c in QEMU does not properly restrict the commands accepted ...) {DSA-3362-1 DSA-3361-1} - qemu 1:2.4+dfsg-2 [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://www.openwall.com/lists/oss-security/2015/09/10/1 NOTE: Fix commit: http://git.qemu.org/?p=qemu.git;a=commit;h=d9033e1d3aa666c5071580617a57bd853c5d794a NOTE: exec_cmd introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=7cff87ff6ab117799e32e42c2e4dc4c0588e583a NOTE: cmd_table introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=844505b12e722d9ba7060480e766351fc6313501 CVE-2015-6927 (vzctl before 4.9.4 determines the virtual environment (VE) layout base ...) {DSA-3357-1} - vzctl 4.9.4-1 [wheezy] - vzctl (Vulnerability not present) [squeeze] - vzctl (Vulnerability not present) NOTE: https://tracker.debian.org/news/711965 NOTE: https://src.openvz.org/projects/OVZL/repos/vzctl/commits/9e98ea630ac0e88b44e3e23c878a5166aeb74e1c NOTE: https://plus.google.com/+OpenVZorg/posts/gidyrouNi7D NOTE: https://wiki.openvz.org/Download/vzctl/4.9.4 CVE-2015-6839 (The parse function in MSA vot.Ar 3.1 does not check whether a candidat ...) NOT-FOR-US: MSA vot.Ar CVE-2015-6829 (Multiple SQL injection vulnerabilities in the getip function in wp-lim ...) NOT-FOR-US: getip function in wp-limit-login-attempts.php in the WP Limit Login Attempts plugin for WordPress CVE-2015-6828 (The tweet_info function in class/__functions.php in the SecureMoz Secu ...) NOT-FOR-US: SecureMoz plugin CVE-2015-6827 (Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger 5.1. ...) NOT-FOR-US: Auto-Exchanger CVE-2015-6826 (The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in F ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a CVE-2015-6825 (The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFm ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Vulnerable code not present) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f1a38264f20382731cf2cc75fdd98f4c9a84a626 CVE-2015-6824 (The sws_init_context function in libswscale/utils.c in FFmpeg before 2 ...) {DLA-1611-2} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111 CVE-2015-6823 (The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2. ...) {DLA-1611-2} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7068bf277a37479aecde2832208d820682b35e6 CVE-2015-6822 (The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.7 ...) {DLA-1611-2 DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4 CVE-2015-6821 (The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg be ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b160fc290cf49b516c5b6ee0730fd9da7fc623b1 CVE-2015-6820 (The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.7. ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3 CVE-2015-6819 (Multiple integer underflows in the ff_mjpeg_decode_frame function in l ...) - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav (Vulnerable code not present in any Libav version) CVE-2015-6818 (The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=47f4e2d8960ca756ca153ab8e3e93d80449b8c91 NOTE: For libav in jessie, the patch needs to go into the decode_frame() function in libavcodec/pngdec.c CVE-2015-6814 RESERVED CVE-2015-6813 RESERVED CVE-2015-6812 (Invision Power Services IPS Community Suite (aka Invision Power Board, ...) NOT-FOR-US: Invision Power Services IPS Community Suite CVE-2015-6811 (SQL injection vulnerability in the Sophos Cyberoam CR500iNG-XP firewal ...) NOT-FOR-US: Sophos Cyberoam CR500iNG-XP firewall appliance with CyberoamOS CVE-2015-6810 (Cross-site scripting (XSS) vulnerability in Invision Power Services IP ...) NOT-FOR-US: Invision Power Services IPS Community Suite CVE-2015-6809 (Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3 ...) NOT-FOR-US: BEdita CVE-2015-6808 (Cross-site scripting (XSS) vulnerability in the Spotlight module 7.x-1 ...) NOT-FOR-US: Spotlight module for Drupal CVE-2015-6807 (Cross-site scripting (XSS) vulnerability in the Mass Contact module 6. ...) NOT-FOR-US: Mass Contact module for Drupal CVE-2015-6805 (Cross-site scripting (XSS) vulnerability in the MDC Private Message pl ...) NOT-FOR-US: MDC Private Message plugin for WordPress CVE-2015-6830 (libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4. ...) {DSA-3382-1} - phpmyadmin 4:4.4.14.1-1 (low) [jessie] - phpmyadmin (Minor issue) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2015-XXXX [hardening for RSA-CRT leak] - libgcrypt11 [wheezy] - libgcrypt11 (Minor issue; additional hardening) [squeeze] - libgcrypt11 (Minor issue; additional hardening) - libgcrypt20 1.6.4-3 [jessie] - libgcrypt20 (Minor issue; additional hardening) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b85c8d6645039fc9d403791750510e439731d479 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/09/08/5 NOTE: Thread on oss-security to clarify if this should be CVE-2015-5738 or a new CVE CVE-2015-6838 (The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP be ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 - hhvm 3.12.1+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69782 NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 NOTE: https://github.com/facebook/hhvm/commit/f358ec0e905df41feaa9dc75f4dee814cfe5a60a CVE-2015-6837 (The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP be ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69782 NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-6836 (The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70388 NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-6835 (The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, an ...) {DSA-3358-1} - php5 5.6.13+dfsg-1 [squeeze] - php5 (Too intrusive to backport) NOTE: https://bugs.php.net/bug.php?id=70219 NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-6834 (Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x be ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70172 NOTE: https://bugs.php.net/bug.php?id=70365 NOTE: https://bugs.php.net/bug.php?id=70366 NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-7225 (Tinfoil Devise-two-factor before 2.0.0 does not strictly follow sectio ...) - ruby-devise-two-factor 2.0.0-1 (bug #798466) NOTE: https://www.openwall.com/lists/oss-security/2015/09/06/2 CVE-2015-8777 (The process_envvars function in elf/rtld.c in the GNU C Library (aka g ...) {DSA-3480-1 DLA-316-1} - glibc 2.21-1 (bug #798316; bug #801691) [jessie] - glibc 2.19-18+deb8u2 - eglibc [squeeze] - eglibc 2.11.3-4+deb6u7 NOTE: https://www.openwall.com/lists/oss-security/2015/09/05/8 NOTE: Upstream bug https://sourceware.org/bugzilla/show_bug.cgi?id=18928 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 CVE-2015-6815 (The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 ...) {DSA-3362-1 DSA-3361-1} - qemu 1:2.4+dfsg-2 (bug #798101) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://www.openwall.com/lists/oss-security/2015/09/04/4 NOTE: Upstream fix: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg01199.html CVE-2015-6816 (ganglia-web before 3.7.1 allows remote attackers to bypass authenticat ...) - ganglia-web 3.7.5+debian-1 (unimportant; bug #798213) - ganglia 3.6.0-1 (unimportant) [squeeze] - ganglia (affected code not present) NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 NOTE: starting with 3.6.0-1 the web front is no longer built from src:ganglia so marking this version as fixed NOTE: https://www.openwall.com/lists/oss-security/2015/09/04/2 NOTE: https://github.com/ganglia/ganglia-web/issues/267 NOTE: https://github.com/ganglia/ganglia-web/commit/f8cc17054270d54f53d92bbe3f7764dc3d9efcc7 CVE-2015-6817 (PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows r ...) - pgbouncer 1.6.1-1 [jessie] - pgbouncer (Introduced in 1.6) [wheezy] - pgbouncer (Introduced in 1.6) [squeeze] - pgbouncer (Introduced in 1.6) NOTE: http://web.archive.org/web/20150905195759/http://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/ NOTE: https://github.com/pgbouncer/pgbouncer/issues/69 NOTE: https://www.openwall.com/lists/oss-security/2015/09/04/3 CVE-2015-XXXX [val_dane_check: usage DANE-TA(2) may bypass cert validation entirely] [experimental] - dnsval 2.1-1 - dnsval 2.0-2 (bug #797470) [jessie] - dnsval (Should possibly be removed in a stable-proposed-update from Jessie) NOTE: Removal in jessie would need as well update to irssi and kamailio NOTE: dnsval/2.0-2 only disables/let val_dane_check fail on usage 2 because not implemented correctly CVE-2015-XXXX [Memory corruption] - libvncserver 0.9.8-1 [squeeze] - libvncserver 0.9.7-2+deb6u2 NOTE: workaround entry for DLA-380-1 until/if CVE assigned NOTE: https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/09/03/8 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=706087#c1 notes that the fix breaks ABI CVE-2015-6938 (Cross-site scripting (XSS) vulnerability in the file browser in notebo ...) - ipython 2.4.1-1 (low; bug #798886) [jessie] - ipython (Minor issue) [wheezy] - ipython (Minor issue) [squeeze] - ipython (Vulnerable code not present) NOTE: Affected versions: 0.12 <= x <= 4.0 NOTE: https://www.openwall.com/lists/oss-security/2015/09/02/3 CVE-2015-6804 RESERVED CVE-2015-6803 RESERVED CVE-2015-6802 RESERVED CVE-2015-6801 RESERVED CVE-2015-6800 RESERVED CVE-2015-6799 RESERVED CVE-2015-6798 RESERVED CVE-2015-6797 RESERVED CVE-2015-6796 RESERVED CVE-2015-6795 RESERVED CVE-2015-6794 RESERVED CVE-2015-6793 RESERVED CVE-2015-6792 (The MIDI subsystem in Google Chrome before 47.0.2526.106 does not prop ...) {DSA-3456-1} - chromium-browser 47.0.2526.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.de/2015/12/stable-channel-update_15.html CVE-2015-6791 (Multiple unspecified vulnerabilities in Google Chrome before 47.0.2526 ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6790 (The WebPageSerializerImpl::openTagToString function in WebKit/Source/w ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6789 (Race condition in the MutationObserver implementation in Blink, as use ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6788 (The ObjectBackedNativeHandler class in extensions/renderer/object_back ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6787 (Multiple unspecified vulnerabilities in Google Chrome before 47.0.2526 ...) - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6786 (The CSPSourceList::matches function in WebKit/Source/core/frame/csp/CS ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6785 (The CSPSource::hostMatches function in WebKit/Source/core/frame/csp/CS ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6784 (The page serializer in Google Chrome before 47.0.2526.73 mishandles Ma ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6783 (The FindStartOffsetOfFileInZipFile function in crazy_linker_zip.cpp in ...) - chromium-browser (android only) CVE-2015-6782 (The Document::open function in WebKit/Source/core/dom/Document.cpp in ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6781 (Integer overflow in the FontData::Bound function in data/font_data.cc ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6780 (Use-after-free vulnerability in the Infobars implementation in Google ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6779 (PDFium, as used in Google Chrome before 47.0.2526.73, does not properl ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6778 (The CJBig2_SymbolDict class in fxcodec/jbig2/JBig2_SymbolDict.cpp in P ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6777 (Use-after-free vulnerability in the ContainerNode::notifyNodeInsertedI ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6776 (The opj_dwt_decode_1* functions in dwt.c in OpenJPEG, as used in PDFiu ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6775 (fpdfsdk/src/jsapi/fxjs_v8.cpp in PDFium, as used in Google Chrome befo ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6774 (Use-after-free vulnerability in the GetLoadTimes function in renderer/ ...) {DSA-3415-1} - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6773 (The convolution implementation in Skia, as used in Google Chrome befor ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6772 (The DOM implementation in Blink, as used in Google Chrome before 47.0. ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6771 (js/array.js in Google V8, as used in Google Chrome before 47.0.2526.73 ...) {DSA-3415-1} - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6770 (The DOM implementation in Google Chrome before 47.0.2526.73 allows rem ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6769 (The provisional-load commit implementation in WebKit/Source/bindings/c ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6768 (The DOM implementation in Google Chrome before 47.0.2526.73 allows rem ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6767 (Use-after-free vulnerability in content/browser/appcache/appcache_disp ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6766 (Use-after-free vulnerability in the AppCache implementation in Google ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6765 (Use-after-free vulnerability in content/browser/appcache/appcache_upda ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6764 (The BasicJsonStringifier::SerializeJSArray function in json-stringifie ...) {DSA-3415-1} - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support - nodejs 4.2.3~dfsg-1 (bug #806385) [jessie] - nodejs (0.10 series not affected) NOTE: https://nodejs.org/en/blog/vulnerability/cve-2015-8027_cve-2015-6764/ - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6763 (Multiple unspecified vulnerabilities in Google Chrome before 46.0.2490 ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6762 (The CSSFontFaceSrcValue::fetch function in core/css/CSSFontFaceSrcValu ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6761 (The update_dimensions function in libavcodec/vp8.c in FFmpeg through 2 ...) {DSA-3376-1 DLA-1611-1} - ffmpeg 7:2.8.1-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Vulnerable code not present) - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=447860 NOTE: https://code.google.com/p/chromium/issues/detail?id=532967 NOTE: Starting with 44.0.2403.157-1 chromium uses the ffmpeg system copy NOTE: It looks like this relates to multithreaded decoding of VPx codecs, which is not implemented in the squeeze version. But I'm not sure as the second bug report is still private. NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=dabea74d0e82ea80cd344f630497cafcb3ef872c CVE-2015-6760 (The Image11::map function in renderer/d3d/d3d11/Image11.cpp in libANGL ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6759 (The shouldTreatAsUniqueOrigin function in platform/weborigin/SecurityO ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6758 (The CPDF_Document::GetPage function in fpdfapi/fpdf_parser/fpdf_parser ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6757 (Use-after-free vulnerability in content/browser/service_worker/embedde ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6756 (Use-after-free vulnerability in the CPDFSDK_PageView implementation in ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6755 (The ContainerNode::parserInsertBefore function in core/dom/ContainerNo ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6754 (Cross-site scripting (XSS) vulnerability in the administration interfa ...) NOT-FOR-US: Drupal Path Breadcrumbs module CVE-2015-6753 (Multiple cross-site scripting (XSS) vulnerabilities in the Quick Edit ...) NOT-FOR-US: Drupal Quick Edit module CVE-2015-6752 (Cross-site scripting (XSS) vulnerability in the Search API Autocomplet ...) NOT-FOR-US: Drupal Search API Autocomplete module CVE-2015-6751 (Multiple cross-site scripting (XSS) vulnerabilities in the Time Tracke ...) NOT-FOR-US: Drupal Time Tracker module CVE-2015-6750 (Buffer overflow in Ricoh DL FTP Server 1.1.0.6 and earlier allows remo ...) NOT-FOR-US: Ricoh DL FTP Server CVE-2015-6747 (Basware Banking (Maksuliikenne) 8.90.07.X does not properly prevent ac ...) NOT-FOR-US: Basware Banking CVE-2015-6746 (Basware Banking (Maksuliikenne) before 8.90.07.X stores private keys i ...) NOT-FOR-US: Basware Banking CVE-2015-6745 (Basware Banking (Maksuliikenne) 8.90.07.X relies on the client to enfo ...) NOT-FOR-US: Basware Banking CVE-2015-6744 (Basware Banking (Maksuliikenne) before 8.90.07.X relies on the client ...) NOT-FOR-US: Basware Banking CVE-2015-6743 (Basware Banking (Maksuliikenne) 8.90.07.X uses a hardcoded password fo ...) NOT-FOR-US: Basware Banking CVE-2015-6742 (Basware Banking (Maksuliikenne) before 8.90.07.X uses a hardcoded pass ...) NOT-FOR-US: Basware Banking CVE-2015-6723 (The ANTrustPropagateAll method in Adobe Reader and Acrobat 10.x before ...) NOT-FOR-US: Adobe CVE-2015-6806 (The MScrollV function in ansi.c in GNU screen 4.3.1 and earlier does n ...) {DSA-3352-1 DLA-305-1} - screen 4.3.1-2 (bug #797624) NOTE: https://savannah.gnu.org/bugs/?45713 NOTE: https://www.openwall.com/lists/oss-security/2015/09/01/1 CVE-2015-6749 (Buffer overflow in the aiff_open function in oggenc/audio.c in vorbis- ...) {DLA-1010-1 DLA-317-1} - vorbis-tools 1.4.0-7 (bug #797461) [jessie] - vorbis-tools 1.4.0-6+deb8u1 NOTE: https://www.openwall.com/lists/oss-security/2015/08/29/1 NOTE: https://trac.xiph.org/ticket/2212 CVE-2015-6741 RESERVED CVE-2015-6740 RESERVED CVE-2015-6739 RESERVED CVE-2015-6738 RESERVED CVE-2015-6748 (Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3. ...) {DLA-2075-1} - jsoup 1.8.3-1 (bug #797275) [wheezy] - jsoup (Minor issue) NOTE: https://github.com/jhy/jsoup/pull/582 NOTE: https://hibernate.atlassian.net/browse/HV-1012 NOTE: https://issues.jboss.org/browse/WFLY-5223 NOTE: https://www.openwall.com/lists/oss-security/2015/08/28/3 CVE-2015-6726 RESERVED CVE-2015-6725 (The ANSendForSharedReview method in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6724 (The ANSendForApproval method in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-5723 (Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before ...) {DSA-3369-1} - php-doctrine-annotations 1.2.7-1 (low) [jessie] - php-doctrine-annotations 1.2.1-1+deb8u1 - php-doctrine-cache 1.4.2-1 (low) [jessie] - php-doctrine-cache 1.3.1-1+deb8u1 [experimental] - php-doctrine-common 2.5.1-1 - php-doctrine-common 2.4.3-1 (low) [jessie] - php-doctrine-common 2.4.2-2+deb8u1 [experimental] - doctrine 2.5.1+dfsg-1 - doctrine 2.4.8-1 (low) [jessie] - doctrine 2.4.6-1+deb8u1 [wheezy] - doctrine (Minor issue) [squeeze] - doctrine (Minor issue) [experimental] - aws-sdk-for-php 3.2.1-1 - aws-sdk-for-php (Vulnerable code not present) - php-doctrine-bundle 1.5.2-1 (low) - zendframework 1.12.16+dfsg-1 (low) [squeeze] - zendframework (No unsafe permissions found in cache functions) NOTE: Review of zendframework 1.10.6 in Squeeze found no usage of default unsafe permission except in library/Zend/Search/Lucene/Storage/Directory/Filesystem.php but which is unlikely to cause a security issue. NOTE: http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html NOTE: https://github.com/aws/aws-sdk-php/releases/tag/3.2.1 NOTE: http://framework.zend.com/security/advisory/ZF2015-07 CVE-2015-6722 (The CBSharedReviewStatusDialog method in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-6721 (The CBSharedReviewSecurityDialog method in Adobe Reader and Acrobat 10 ...) NOT-FOR-US: Adobe CVE-2015-6720 (The ANRunSharedReviewEmailStep method in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-6719 (The CBSharedReviewCloseDialog method in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-6718 (The CBSharedReviewIfOfflineDialog method in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe CVE-2015-6717 (The DynamicAnnotStore method in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6716 (The ANSendForFormDistribution method in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-6715 (The Function apply implementation in Adobe Reader and Acrobat 10.x bef ...) NOT-FOR-US: Adobe CVE-2015-6714 (The Function bind implementation in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6713 (The Function call implementation in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6712 (The ANSendApprovalToAuthorEnabled method in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe CVE-2015-6711 (The DoIdentityDialog method in Adobe Reader and Acrobat 10.x before 10 ...) NOT-FOR-US: Adobe CVE-2015-6710 (The CBBBRInit method in Adobe Reader and Acrobat 10.x before 10.1.16 a ...) NOT-FOR-US: Adobe CVE-2015-6709 (The CBBBRInvite method in Adobe Reader and Acrobat 10.x before 10.1.16 ...) NOT-FOR-US: Adobe CVE-2015-6708 (The ANStartApproval method in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe CVE-2015-6707 (The ANSendForReview method in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe CVE-2015-6706 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6705 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6704 (The animations property implementation in Adobe Reader and Acrobat 10. ...) NOT-FOR-US: Adobe CVE-2015-6703 (The loadFlashMovie function in Adobe Reader and Acrobat 10.x before 10 ...) NOT-FOR-US: Adobe CVE-2015-6702 (The createSquareMesh function in Adobe Reader and Acrobat 10.x before ...) NOT-FOR-US: Adobe CVE-2015-6701 (The ambientIlluminationColor property implementation in Adobe Reader a ...) NOT-FOR-US: Adobe CVE-2015-6700 (The setBackground function in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe CVE-2015-6699 (The addForegroundSprite function in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6698 (Heap-based buffer overflow in the AcroForm implementation in Adobe Rea ...) NOT-FOR-US: Adobe CVE-2015-6697 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6696 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe CVE-2015-6695 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6694 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6693 (The signatureSetSeedValue method in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6692 (Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.16 and 11 ...) NOT-FOR-US: Adobe CVE-2015-6691 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6690 (Use-after-free vulnerability in the popUpMenuEx method in Adobe Reader ...) NOT-FOR-US: Adobe CVE-2015-6689 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6688 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6687 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6686 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6685 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6684 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6683 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6682 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6681 (Adobe Shockwave Player before 12.2.0.162 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2015-6680 (Adobe Shockwave Player before 12.2.0.162 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2015-6679 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6678 (Buffer overflow in Adobe Flash Player before 18.0.0.241 and 19.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6677 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6676 (Buffer overflow in Adobe Flash Player before 18.0.0.241 and 19.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6675 (Siemens RUGGEDCOM ROS 3.8.0 through 4.1.x permanently enables the IP f ...) NOT-FOR-US: Siemens RUGGEDCOM ROS CVE-2015-6672 (Cross-site scripting (XSS) vulnerability in the Administrative Web Int ...) NOT-FOR-US: Citrix CVE-2015-6671 (Open edX edx-platform before 2015-08-25 requires use of the database f ...) NOT-FOR-US: Open edX CVE-2015-6670 (ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1 ...) {DSA-3373-1} - owncloud 7.0.8~dfsg-1 [experimental] - owncloud-calendar 0.7.3-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-015 NOTE: https://github.com/owncloud/calendar/commit/4e0306adb13b19919e90857eaf7681303cd45414 CVE-2015-6669 RESERVED CVE-2015-6668 (The Job Manager plugin before 0.7.25 allows remote attackers to read a ...) NOT-FOR-US: Wordpress plugin CVE-2015-6667 RESERVED CVE-2015-6664 (XML external entity (XXE) vulnerability in the application import func ...) NOT-FOR-US: SAP Mobile Platform CVE-2015-6663 (Cross-site scripting (XSS) vulnerability in the Client form in the Dev ...) NOT-FOR-US: SAP Afaria CVE-2015-6662 (XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 al ...) NOT-FOR-US: SAP NetWeaver Portal CVE-2015-6657 RESERVED CVE-2015-6656 RESERVED CVE-2015-6666 REJECTED CVE-2015-6655 (Cross-site request forgery (CSRF) vulnerability in Pligg CMS 2.0.2 all ...) NOT-FOR-US: Pligg CMS CVE-2015-6654 (The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, ...) {DSA-3414-1} - xen 4.8.0~rc3-1 (bug #823620; bug #800128) [wheezy] - xen (Xen on arm not yet supported) [squeeze] - xen (Xen on arm not yet supported) NOTE: http://xenbits.xen.org/xsa/advisory-141.html CVE-2015-6653 REJECTED CVE-2015-6652 REJECTED CVE-2015-6651 REJECTED CVE-2015-6650 REJECTED CVE-2015-6649 REJECTED CVE-2015-6648 RESERVED CVE-2015-6647 (The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LM ...) NOT-FOR-US: Android CVE-2015-6646 (The System V IPC implementation in the kernel in Android before 6.0 20 ...) NOT-FOR-US: Android NOTE: https://source.android.com/security/bulletin/2016-01-01.html NOTE: This doesn't represent a specific kernel vulnerability. Android does not need and did not apply resource limits to System V IPC. CVE-2015-6645 (SyncManager in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 a ...) NOT-FOR-US: Android CVE-2015-6644 (Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 ...) {DSA-3829-1 DLA-893-1} - bouncycastle 1.54-1 NOTE: https://source.android.com/security/bulletin/2016-01-01.html#information_disclosure_vulnerability_in_bouncy_castle NOTE: https://android.googlesource.com/platform/external/bouncycastle/+/3e128c5fea3a0ca2d372aa09c4fd4bb0eadfbd3f NOTE: Fixed differently upstream https://github.com/bcgit/bc-java/issues/177#issuecomment-290671336 CVE-2015-6643 (Setup Wizard in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01 ...) NOT-FOR-US: Android CVE-2015-6642 (The kernel in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 al ...) NOT-FOR-US: Qualcomm driver for Android NOTE: https://www.codeaurora.org/projects/security-advisories/information-disclosure-vulnerability-kernel-ipc-router-module-cve-2015-6642 CVE-2015-6641 (Bluetooth in Android 6.0 before 2016-01-01 allows remote attackers to ...) NOT-FOR-US: Android CVE-2015-6640 (The prctl_set_vma_anon_name function in kernel/sys.c in Android before ...) NOT-FOR-US: Android kernel extension NOTE: https://android.googlesource.com/kernel%2Fcommon/+/69bfe2d957d903521d32324190c2754cb073be15 CVE-2015-6639 (The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LM ...) NOT-FOR-US: Android CVE-2015-6638 (The Imagination Technologies driver in Android 5.x before 5.1.1 LMY49F ...) NOT-FOR-US: Imagination driver for Android CVE-2015-6637 (The MediaTek misc-sd driver in Android before 5.1.1 LMY49F and 6.0 bef ...) NOT-FOR-US: MediaTek driver for Android CVE-2015-6636 (mediaserver in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01- ...) NOT-FOR-US: Android Mediaserver CVE-2015-6635 RESERVED CVE-2015-6634 (The display drivers in Android before 5.1.1 LMY48Z allow remote attack ...) NOT-FOR-US: Android CVE-2015-6633 (The display drivers in Android before 5.1.1 LMY48Z and 6.0 before 2015 ...) NOT-FOR-US: Android CVE-2015-6632 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-0 ...) NOT-FOR-US: libstagefright CVE-2015-6631 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-0 ...) NOT-FOR-US: libstagefright CVE-2015-6630 (SystemUI in Android 5.x before 5.1.1 LMY48Z and 6.0 before 2015-12-01 ...) NOT-FOR-US: Android CVE-2015-6629 (Wi-Fi in Android 5.x before 5.1.1 LMY48Z allows attackers to obtain se ...) NOT-FOR-US: Android CVE-2015-6628 (Media Framework in Android before 5.1.1 LMY48Z and 6.0 before 2015-12- ...) NOT-FOR-US: Android CVE-2015-6627 (The Audio component in Android before 5.1.1 LMY48Z and 6.0 before 2015 ...) NOT-FOR-US: Android CVE-2015-6626 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-0 ...) NOT-FOR-US: libstagefright CVE-2015-6625 (System Server in Android 6.0 before 2015-12-01 allows attackers to obt ...) NOT-FOR-US: Android CVE-2015-6624 (System Server in Android 6.0 before 2015-12-01 allows attackers to obt ...) NOT-FOR-US: Android CVE-2015-6623 (Wi-Fi in Android 6.0 before 2015-12-01 allows attackers to gain privil ...) NOT-FOR-US: Android CVE-2015-6622 (The Native Frameworks Library in Android before 5.1.1 LMY48Z and 6.0 b ...) NOT-FOR-US: Android CVE-2015-6621 (SystemUI in Android 5.x before 5.1.1 LMY48Z and 6.0 before 2015-12-01 ...) NOT-FOR-US: Android CVE-2015-6620 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-0 ...) NOT-FOR-US: libstagefright CVE-2015-6619 (The kernel in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 al ...) - linux (Appears to be caused by a flawed backport of O_TMPFILE feature) NOTE: https://android.googlesource.com/device%2Fhtc%2Fflounder-kernel/+/25d3e5d71865a7c0324423fad87aaabb70e82ee4 CVE-2015-6618 (Bluetooth in Android 4.4 and 5.x before 5.1.1 LMY48Z allows user-assis ...) NOT-FOR-US: Android CVE-2015-6617 (Skia, as used in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 ...) - skia (bug #818180) CVE-2015-6616 (mediaserver in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 a ...) NOT-FOR-US: mediaserver in Android CVE-2015-6615 RESERVED CVE-2015-6614 (Telephony in Android 5.x before 5.1.1 LMY48X allows attackers to gain ...) NOT-FOR-US: Android CVE-2015-6613 (Bluetooth in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 all ...) NOT-FOR-US: Android CVE-2015-6612 (libmedia in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allo ...) NOT-FOR-US: Android CVE-2015-6611 (mediaserver in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 a ...) NOT-FOR-US: mediaserver in Android CVE-2015-6610 (libstagefright in Android before 5.1.1 LMY48X and 6.0 before 2015-11-0 ...) NOT-FOR-US: libstagefright CVE-2015-6609 (libutils in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allo ...) - android-platform-frameworks-native (unimportant; bug #806375) CVE-2015-6608 (mediaserver in Android 5.x before 5.1.1 LMY48X and 6.0 before 2015-11- ...) NOT-FOR-US: mediaserver in Android CVE-2015-6607 (SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows at ...) NOT-FOR-US: Android NOTE: The change simply rebased sqlite to 3.8.9, which seems to have happened NOTE: for CVE-2015-3414, CVE-2015-3415 and CVE-2015-3416, but no new sqlite issue CVE-2015-6606 (The Secure Element Evaluation Kit (aka SEEK or SmartCard API) plugin i ...) NOT-FOR-US: Android CVE-2015-6605 (mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a ...) NOT-FOR-US: mediaserver in Android CVE-2015-6604 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6603 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6602 (libutils in Android through 5.1.1 LMY48M allows remote attackers to ex ...) - android-platform-frameworks-native (unimportant; bug #806375) CVE-2015-6601 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6600 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6599 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6598 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6597 RESERVED CVE-2015-6596 (mediaserver in Android before 5.1.1 LMY48T allows attackers to gain pr ...) NOT-FOR-US: mediaserver in Android CVE-2015-6595 RESERVED CVE-2015-6594 RESERVED CVE-2015-6592 (Huawei UAP2105 before V300R012C00SPC160(BootRom) does not require auth ...) NOT-FOR-US: Huawei CVE-2015-6591 (Directory traversal vulnerability in application/templates/amelia/load ...) NOT-FOR-US: Free Reprintables ArticleFR CVE-2015-6590 RESERVED CVE-2015-6589 (Directory traversal vulnerability in Kaseya Virtual System Administrat ...) NOT-FOR-US: Kaseya Virtual System Administrator CVE-2015-6588 (Cross-site scripting (XSS) vulnerability in login-fsp.html in MODX Rev ...) NOT-FOR-US: MODX Revolution CVE-2015-6587 (The vlserver in OpenAFS before 1.6.13 allows remote authenticated user ...) {DSA-3320-1 DLA-342-1} - openafs 1.6.13-1 NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-006.txt CVE-2015-6586 (The mDNS module in Huawei WLAN AC6005, AC6605, and ACU2 devices with s ...) NOT-FOR-US: Huawei CVE-2015-6585 (hwpapp.dll in Hangul Word Processor allows remote attackers to execute ...) NOT-FOR-US: Hangul Word Processor CVE-2015-6584 (Cross-site scripting (XSS) vulnerability in the DataTables plugin 1.10 ...) - datatables.js 1.10.9+dfsg-1 NOTE: http://www.securityfocus.com/archive/1/archive/1/536437/100/0/threaded NOTE: https://www.netsparker.com/cve-2015-6384-xss-vulnerability-identified-in-datatables/ NOTE: https://github.com/DataTables/DataTables/issues/602 NOTE: https://github.com/DataTables/DataTablesSrc/commit/ccf86dc5982bd8e16d NOTE: https://nodesecurity.io/advisories/5 CVE-2015-6583 (Google Chrome before 45.0.2454.85 does not display a location bar for ...) - chromium-browser 45.0.2454.85-1 [jessie] - chromium-browser 45.0.2454.85-1~deb8u1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6582 (The decompose function in platform/transforms/TransformationMatrix.cpp ...) - chromium-browser 45.0.2454.85-1 [jessie] - chromium-browser 45.0.2454.85-1~deb8u1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6581 (Double free vulnerability in the opj_j2k_copy_default_tcp_and_create_t ...) {DSA-3665-1} - openjpeg (Vulnerable code not present, function opj_j2k_copy_default_tcp_and_create_tcd) - openjpeg2 2.1.1-1 (bug #800453) NOTE: Openjpeg2 fix: https://github.com/uclouvain/openjpeg/commit/0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0 - chromium-browser 45.0.2454.85-1 [jessie] - chromium-browser 45.0.2454.85-1~deb8u1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6580 (Multiple unspecified vulnerabilities in Google V8 before 4.5.103.29, a ...) - chromium-browser 45.0.2454.85-1 [jessie] - chromium-browser 45.0.2454.85-1~deb8u1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6579 RESERVED CVE-2015-6578 RESERVED CVE-2015-6577 RESERVED CVE-2015-6576 (Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers ...) NOT-FOR-US: Atlassian Bamboo CVE-2015-6575 (SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I does ...) NOT-FOR-US: libstagefright in Android CVE-2015-6574 (The SNAP Lite component in certain SISCO MMS-EASE and AX-S4 ICCP produ ...) NOT-FOR-US: SISCO MMS-EASE CVE-2015-6573 RESERVED CVE-2015-6572 RESERVED CVE-2015-6571 RESERVED CVE-2015-6570 RESERVED CVE-2015-6569 (Race condition in the LoadBalancer module in the Atlassian Floodlight ...) NOT-FOR-US: Atlassian CVE-2015-6568 (Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code E ...) NOT-FOR-US: Wolf CMS CVE-2015-6567 (Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code E ...) NOT-FOR-US: Wolf CMS CVE-2015-6566 (zarafa-autorespond in Zarafa Collaboration Platform (ZCP) before 7.2.1 ...) - zarafa (bug #658433) CVE-2015-6562 RESERVED CVE-2015-6561 RESERVED CVE-2015-6560 RESERVED CVE-2015-6559 RESERVED CVE-2015-6558 RESERVED CVE-2015-6557 (IBM Tivoli Storage Manager for Databases: Data Protection for Microsof ...) NOT-FOR-US: IBM CVE-2015-6556 (EACommunicatorSrv.exe in the Framework Service in the client in Symant ...) NOT-FOR-US: Symantec CVE-2015-6555 (Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP3 a ...) NOT-FOR-US: Symantec CVE-2015-6554 (Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP3 a ...) NOT-FOR-US: Symantec CVE-2015-6553 REJECTED CVE-2015-6552 (The management-services protocol implementation in Veritas NetBackup 7 ...) NOT-FOR-US: Veritas NetBackup CVE-2015-6551 (Veritas NetBackup 7.x through 7.5.0.7 and 7.6.0.x through 7.6.0.4 and ...) NOT-FOR-US: Veritas NetBackup CVE-2015-6550 (bpcd in Veritas NetBackup 7.x through 7.5.0.7, 7.6.0.x through 7.6.0.4 ...) NOT-FOR-US: Veritas NetBackup CVE-2015-6549 (Cross-site scripting (XSS) vulnerability in an application console in ...) NOT-FOR-US: Symantec NetBackup OpsCenter CVE-2015-6548 (Multiple SQL injection vulnerabilities in a PHP script in the manageme ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-6547 (The management console on Symantec Web Gateway (SWG) appliances with s ...) NOT-FOR-US: Semantec Web Gateway CVE-2015-6546 (The vCMP host in F5 BIG-IP Analytics, APM, ASM, GTM, Link Controller, ...) NOT-FOR-US: F5 BIG-IP CVE-2015-6545 (Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb be ...) NOT-FOR-US: Cerb CVE-2015-6544 (Cross-site scripting (XSS) vulnerability in application/dashboard.clas ...) NOT-FOR-US: Combodo CVE-2015-6543 RESERVED CVE-2015-6542 REJECTED CVE-2015-6541 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail ...) NOT-FOR-US: Zimbra CVE-2015-6540 (Cross-site scripting (XSS) vulnerability in Intellect Design Arena Int ...) NOT-FOR-US: Intellect Design Arena Intellect Core banking CVE-2015-6539 RESERVED CVE-2015-6538 (The login page in Epiphany Cardio Server 3.3, 4.0, and 4.1 mishandles ...) NOT-FOR-US: Epiphany Cardio Server CVE-2015-6537 (SQL injection vulnerability in the login page in Epiphany Cardio Serve ...) NOT-FOR-US: Epiphany Cardio Server CVE-2015-6536 RESERVED CVE-2015-6535 (Cross-site scripting (XSS) vulnerability in includes/options-profiles. ...) NOT-FOR-US: YouTube Embed plugin for WordPress CVE-2015-6534 RESERVED CVE-2015-6533 RESERVED CVE-2015-6532 RESERVED CVE-2015-6531 (Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 migh ...) NOT-FOR-US: Palo Alto Networks Panorama VM Appliance CVE-2015-6530 (Cross-site scripting (XSS) vulnerability in OpenText Secure MFT 2013 b ...) NOT-FOR-US: OpenText Secure MFT 2013 CVE-2015-6529 (Multiple cross-site scripting (XSS) vulnerabilities in phpipam 1.1.010 ...) - phpipam (bug #731713) CVE-2015-6528 (Multiple cross-site scripting (XSS) vulnerabilities in install_classic ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2015-6525 (Multiple integer overflows in the evbuffer API in Libevent 2.0.x befor ...) {DSA-3119-1} - libevent 2.0.21-stable-2 [squeeze] - libevent (Only for issues in 2.0.x and 2.1.x) NOTE: Split from CVE-2014-6272 CVE-2015-6524 (The LDAPLoginModule implementation in the Java Authentication and Auth ...) - activemq 5.6.0+dfsg1-4 (low) [wheezy] - activemq 5.6.0+dfsg-1+deb7u1 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt CVE-2015-6523 (Cross-site request forgery (CSRF) vulnerability in the Portfolio plugi ...) NOT-FOR-US: Portfolio plugin for WordPress CVE-2015-6522 (SQL injection vulnerability in the WP Symposium plugin before 15.8 for ...) NOT-FOR-US: WP Symposium plugin for WordPress CVE-2015-6661 (Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to ...) {DSA-3346-1} - drupal7 7.39-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6660 (The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not pr ...) {DSA-3346-1} - drupal7 7.39-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6659 (SQL injection vulnerability in the SQL comment filtering system in the ...) {DSA-3346-1} - drupal7 7.39-1 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6658 (Cross-site scripting (XSS) vulnerability in the Autocomplete system in ...) {DSA-3346-1} - drupal7 7.39-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6665 (Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal ...) {DSA-3346-1} - drupal7 7.39-1 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6673 (Use-after-free vulnerability in Decoder.cpp in libpgf before 6.15.32. ...) {DLA-2035-1} - libpgf 6.14.12-3.2 (bug #798032) NOTE: https://www.openwall.com/lists/oss-security/2015/08/19/14 NOTE: Details on the CVE assignment: https://www.openwall.com/lists/oss-security/2015/08/25/9 NOTE: https://sourceforge.net/p/libpgf/code/147/ NOTE: https://sourceforge.net/p/libpgf/code/148/ CVE-2015-6527 (The php_str_replace_in_subject function in ext/standard/string.c in PH ...) - php5 (Specific to PHP 7) NOTE: https://git.php.net/?p=php-src.git;a=commit;h=6aeee47b2cd47915ccfa3b41433a3f57aea24dd5 NOTE: https://bugs.php.net/bug.php?id=70140 CVE-2015-6521 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS vers ...) NOT-FOR-US: ATutor CVE-2015-6519 (SQL injection vulnerability in Arab Portal 3 allows remote attackers t ...) NOT-FOR-US: Arab Portal 3 CVE-2015-6518 (Multiple cross-site scripting (XSS) vulnerabilities in phpLiteAdmin 1. ...) - phpliteadmin (Fixed before initial upload) CVE-2015-6517 (Cross-site request forgery (CSRF) vulnerability in phpLiteAdmin 1.1 al ...) - phpliteadmin (Fixed before initial upload) CVE-2015-6516 (SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier al ...) NOT-FOR-US: cygnux.org sysPass CVE-2015-6515 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enter ...) NOT-FOR-US: Splunk CVE-2015-6514 (Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk En ...) NOT-FOR-US: Splunk Enterprise CVE-2015-6513 (Multiple SQL injection vulnerabilities in the J2Store (com_j2store) ex ...) NOT-FOR-US: Joomla extension com_j2store CVE-2015-6512 (SQL injection vulnerability in the get_messages function in server/plu ...) NOT-FOR-US: FreiChat CVE-2015-6511 (Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allow ...) NOT-FOR-US: pfSense CVE-2015-6510 (Multiple cross-site scripting (XSS) vulnerabilities in pfSense before ...) NOT-FOR-US: pfSense CVE-2015-6509 (Multiple cross-site scripting (XSS) vulnerabilities in pfSense before ...) NOT-FOR-US: pfSense CVE-2015-6508 (Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allow ...) NOT-FOR-US: pfSense CVE-2015-6507 (The hdbsql client 1.00.091.00 Build 1418659308-1530 in SAP HANA allows ...) NOT-FOR-US: SAP CVE-2015-6833 (Directory traversal vulnerability in the PharData class in PHP before ...) {DSA-3344-1 DLA-341-1} - php5 5.6.12+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70019 NOTE: https://www.openwall.com/lists/oss-security/2015/08/19/3 NOTE: Fixed upstream in 5.4.44 and 5.6.12 CVE-2015-6831 (Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5 ...) {DSA-3344-1 DLA-341-1} - php5 5.6.12+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70169 NOTE: https://bugs.php.net/bug.php?id=70168 NOTE: https://bugs.php.net/bug.php?id=70166 NOTE: https://bugs.php.net/bug.php?id=70155 NOTE: https://www.openwall.com/lists/oss-security/2015/08/19/3 NOTE: Fixed upstream in 5.4.44 and 5.6.12 CVE-2015-6832 (Use-after-free vulnerability in the SPL unserialize implementation in ...) {DSA-3344-1 DLA-341-1} - php5 5.6.12+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70068 NOTE: https://www.openwall.com/lists/oss-security/2015/08/19/3 NOTE: Fixed upstream in 5.4.44 and 5.6.12 CVE-2015-6505 RESERVED CVE-2015-6504 RESERVED CVE-2015-6503 RESERVED CVE-2015-6502 (Cross-site scripting (XSS) vulnerability in the console in Puppet Ente ...) NOT-FOR-US: Puppet Enterprise CVE-2015-6501 (Open redirect vulnerability in the Console in Puppet Enterprise before ...) - puppet (Limited to Puppet Enterprise) CVE-2015-6500 (Directory traversal vulnerability in ownCloud Server before 8.0.6 and ...) {DSA-3373-1} - owncloud 7.0.10~dfsg-2 (bug #800126) NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-014 NOTE: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-048.txt NOTE: https://github.com/owncloud/core/commit/9f8c0a3a8d14f1c127b2034faa14d8d309f962e9 CVE-2015-6499 RESERVED CVE-2015-6498 (Alcatel-Lucent Home Device Manager before 4.1.10, 4.2.x before 4.2.2 a ...) NOT-FOR-US: Alcatel-Lucent Home Device Manager CVE-2015-6497 (The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2 ...) NOT-FOR-US: Magento CVE-2015-6495 (There is Sensitive Information in Cloudera Manager before 5.4.6 Diagno ...) NOT-FOR-US: Cloudera CVE-2015-6494 (Cross-site scripting (XSS) vulnerability in Infinite Automation Mango ...) NOT-FOR-US: Infinite Automation Mango Automation CVE-2015-6493 (Cross-site request forgery (CSRF) vulnerability in Infinite Automation ...) NOT-FOR-US: Infinite Automation Mango Automation CVE-2015-6492 (Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 dev ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6491 (Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 dev ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6490 (Stack-based buffer overflow on Allen-Bradley MicroLogix 1100 devices b ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6489 RESERVED CVE-2015-6488 (Cross-site scripting (XSS) vulnerability in the web server on Allen-Br ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6487 REJECTED CVE-2015-6486 (SQL injection vulnerability on Allen-Bradley MicroLogix 1100 devices b ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6485 (Schneider Electric Telvent Sage 2300 RTUs with firmware before C3413-5 ...) NOT-FOR-US: Schneider CVE-2015-6484 (3S-Smart CODESYS Gateway Server before 2.3.9.48 allows remote attacker ...) NOT-FOR-US: 3S-Smart CODESYS CVE-2015-6483 RESERVED CVE-2015-6482 (Runtime Toolkit before 2.4.7.48 in 3S-Smart CODESYS before 2.3.9.48 al ...) NOT-FOR-US: 3S-Smart CODESYS CVE-2015-6481 (The login function in the RequestController class in Moxa OnCell Centr ...) NOT-FOR-US: Moxa CVE-2015-6480 (The MessageBrokerServlet servlet in Moxa OnCell Central Manager before ...) NOT-FOR-US: Moxa CVE-2015-6479 (ACEmanager in Sierra Wireless ALEOS 4.4.2 and earlier on ES440, ES450, ...) NOT-FOR-US: Sierra Wireless ALEOS CVE-2015-6478 (Unitronics VisiLogic OPLC IDE before 9.8.02 does not properly restrict ...) NOT-FOR-US: Unitronics VisiLogic OPLC IDE CVE-2015-6477 (Multiple cross-site scripting (XSS) vulnerabilities in the Wind Farm P ...) NOT-FOR-US: Nordex Control CVE-2015-6476 (Advantech EKI-122x-BE devices with firmware before 1.65, EKI-132x devi ...) NOT-FOR-US: Advantech EKI-122x-BE devices CVE-2015-6475 (Multiple cross-site scripting (XSS) vulnerabilities in IBC Solar Serve ...) NOT-FOR-US: ServeMaster CVE-2015-6474 (IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ allow remote attackers ...) NOT-FOR-US: ServeMaster CVE-2015-6473 (WAGO IO 750-849 01.01.27 and WAGO IO 750-881 01.02.05 do not contain p ...) NOT-FOR-US: WAGO IO CVE-2015-6472 (WAGO IO 750-849 01.01.27 and 01.02.05, WAGO IO 750-881, and WAGO IO 75 ...) NOT-FOR-US: WAGO IO CVE-2015-6471 (Eaton Cooper Power Systems ProView 4.x and 5.x before 5.1 on Form 6 co ...) NOT-FOR-US: Eaton Cooper Power Systems ProView CVE-2015-6470 (Resource Data Management Data Manager before 2.2 allows remote authent ...) NOT-FOR-US: Resource Data Manager CVE-2015-6469 (The interpreter in IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ all ...) NOT-FOR-US: ServerMaster CVE-2015-6468 (Cross-site request forgery (CSRF) vulnerability in Resource Data Manag ...) NOT-FOR-US: Resource Data Manager CVE-2015-6467 (Advantech WebAccess before 8.1 allows remote attackers to execute arbi ...) NOT-FOR-US: Advantech CVE-2015-6466 (Cross-site scripting (XSS) vulnerability in the Diagnosis Ping feature ...) NOT-FOR-US: Moxa switches CVE-2015-6465 (The GoAhead web server on Moxa EDS-405A and EDS-408A switches with fir ...) NOT-FOR-US: Moxa switches CVE-2015-6464 (The administrative web interface on Moxa EDS-405A and EDS-408A switche ...) NOT-FOR-US: Moxa switches CVE-2015-6463 (CodeWrights HART Comm DTM components, as used with Endress+Hauser Fiel ...) NOT-FOR-US: CodeWrights HART Comm DTM components CVE-2015-6462 (Reflected Cross-Site Scripting (nonpersistent) allows an attacker to c ...) NOT-FOR-US: Schneider CVE-2015-6461 (Remote file inclusion allows an attacker to craft a specific URL refer ...) NOT-FOR-US: Schneider CVE-2015-6460 (Multiple heap-based buffer overflows in 3S-Smart CODESYS Gateway Serve ...) NOT-FOR-US: CODESYS Gateway Server CVE-2015-6459 (Absolute path traversal vulnerability in the download feature in FileD ...) NOT-FOR-US: FileDownloadServlet CVE-2015-6458 (Moxa SoftCMS 1.3 and prior is susceptible to a buffer overflow conditi ...) NOT-FOR-US: Moxa CVE-2015-6457 (Moxa SoftCMS 1.3 and prior is susceptible to a buffer overflow conditi ...) NOT-FOR-US: Moxa CVE-2015-6456 (GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1. ...) NOT-FOR-US: PulseNET CVE-2015-6455 REJECTED CVE-2015-6454 (Everest PeakHMI before 8.7.0.2, when the video server is used, allows ...) NOT-FOR-US: PeakHMI CVE-2015-6453 REJECTED CVE-2015-6452 REJECTED CVE-2015-6451 REJECTED CVE-2015-6450 REJECTED CVE-2015-6449 REJECTED CVE-2015-6448 REJECTED CVE-2015-6447 REJECTED CVE-2015-6446 REJECTED CVE-2015-6445 REJECTED CVE-2015-6444 REJECTED CVE-2015-6443 REJECTED CVE-2015-6442 REJECTED CVE-2015-6441 REJECTED CVE-2015-6440 REJECTED CVE-2015-6439 REJECTED CVE-2015-6438 REJECTED CVE-2015-6437 REJECTED CVE-2015-6436 REJECTED CVE-2015-6435 (An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 900 ...) NOT-FOR-US: Cisco CVE-2015-6434 (Cisco Prime Infrastructure does not properly restrict use of IFRAME el ...) NOT-FOR-US: Cisco CVE-2015-6433 (SQL injection vulnerability in Cisco Unified Communications Manager 11 ...) NOT-FOR-US: Cisco CVE-2015-6432 (Cisco IOS XR 4.2.0, 4.3.0, 5.0.0, 5.1.0, 5.2.0, 5.2.2, 5.2.4, 5.3.0, a ...) NOT-FOR-US: Cisco CVE-2015-6431 (Cisco IOS XE 16.1.1 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Cisco CVE-2015-6430 RESERVED CVE-2015-6429 (The IKEv1 state machine in Cisco IOS 15.4 through 15.6 and IOS XE 3.15 ...) NOT-FOR-US: Cisco CVE-2015-6428 (Cisco DPQ3925 devices with EDVA r1 Base allow remote attackers to obta ...) NOT-FOR-US: Cisco CVE-2015-6427 (Cisco FireSIGHT Management Center allows remote attackers to bypass th ...) NOT-FOR-US: Cisco CVE-2015-6426 (Cisco Prime Network Services Controller 3.0 allows local users to bypa ...) NOT-FOR-US: Cisco CVE-2015-6425 (The WebApplications Identity Management subsystem in Cisco Unified Com ...) NOT-FOR-US: Cisco CVE-2015-6424 (The boot manager in Cisco Application Policy Infrastructure Controller ...) NOT-FOR-US: Cisco CVE-2015-6423 (The DCERPC Inspection implementation in Cisco Adaptive Security Applia ...) NOT-FOR-US: Cisco CVE-2015-6422 (The self-service application in Cisco Unified Communications Domain Ma ...) NOT-FOR-US: Cisco CVE-2015-6421 (cifs-ao in the CIFS optimization functionality on Cisco Wide Area Appl ...) NOT-FOR-US: Cisco CVE-2015-6420 (Serialized-object interfaces in certain Cisco Collaboration and Social ...) NOT-FOR-US: Cisco CVE-2015-6419 (Cisco FireSIGHT Management Center with software 4.10.3, 5.2.0, 5.3.0, ...) NOT-FOR-US: Cisco CVE-2015-6418 (The random-number generator on Cisco Small Business RV routers 4.x and ...) NOT-FOR-US: Cisco CVE-2015-6417 (Cisco Videoscape Distribution Suite Service Manager (VDS-SM) 3.4.0 and ...) NOT-FOR-US: Cisco CVE-2015-6416 (Cross-site scripting (XSS) vulnerability in Cisco Unified Email Intera ...) NOT-FOR-US: Cisco CVE-2015-6415 (Cisco Unified Computing System (UCS) 2.2(3f)A on Fabric Interconnect 6 ...) NOT-FOR-US: Cisco CVE-2015-6414 (Cisco TelePresence Video Communication Server (VCS) X8.6 uses the same ...) NOT-FOR-US: Cisco CVE-2015-6413 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.6 al ...) NOT-FOR-US: Cisco CVE-2015-6412 (Cisco Modular Encoding Platform D9036 Software before 02.04.70 has har ...) NOT-FOR-US: Cisco CVE-2015-6411 (Cisco FirePOWER Management Center 5.4.1.3, 6.0.0, and 6.0.1 provides v ...) NOT-FOR-US: Cisco CVE-2015-6410 (The Mobile and Remote Access (MRA) services implementation in Cisco Un ...) NOT-FOR-US: Cisco CVE-2015-6409 (Cisco Jabber 10.6.x, 11.0.x, and 11.1.x on Windows allows man-in-the-m ...) NOT-FOR-US: Cisco CVE-2015-6408 (Cross-site request forgery (CSRF) vulnerability in Cisco Unity Connect ...) NOT-FOR-US: Cisco CVE-2015-6407 (Cisco Emergency Responder 10.5(3.10000.9) allows remote attackers to u ...) NOT-FOR-US: Cisco CVE-2015-6406 (Directory traversal vulnerability in the Tools menu in Cisco Emergency ...) NOT-FOR-US: Cisco CVE-2015-6405 (Cross-site request forgery (CSRF) vulnerability in Cisco Emergency Res ...) NOT-FOR-US: Cisco CVE-2015-6404 (Cisco Hosted Collaboration Mediation Fulfillment 10.6(3) does not use ...) NOT-FOR-US: Cisco CVE-2015-6403 (The TFTP implementation on Cisco Small Business SPA30x, SPA50x, SPA51x ...) NOT-FOR-US: Cisco CVE-2015-6402 (Cross-site scripting (XSS) vulnerability in the management interface o ...) NOT-FOR-US: Cisco CVE-2015-6401 (Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote ...) NOT-FOR-US: Cisco CVE-2015-6400 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Emergency ...) NOT-FOR-US: Cisco CVE-2015-6399 (The Supervisor 1.0.0.0 and 1.0.0.1 in Cisco Integrated Management Cont ...) NOT-FOR-US: Cisco CVE-2015-6398 (Cisco Nexus 9000 Application Centric Infrastructure (ACI) Mode switche ...) NOT-FOR-US: Cisco CVE-2015-6397 (Cisco RV110W, RV130W, and RV215W devices have an incorrect RBAC config ...) NOT-FOR-US: Cisco CVE-2015-6396 (The CLI command parser on Cisco RV110W, RV130W, and RV215W devices all ...) NOT-FOR-US: Cisco CVE-2015-6395 (Cisco Prime Service Catalog 10.0, 10.0(R2), 10.1, and 11.0 does not pr ...) NOT-FOR-US: Cisco CVE-2015-6394 (The kernel in Cisco NX-OS 5.2(9)N1(1) on Nexus 5000 devices allows loc ...) NOT-FOR-US: Cisco CVE-2015-6393 (Cisco NX-OS 4.1 through 7.3 and 11.0 through 11.2 on Nexus 2000, 3000, ...) NOT-FOR-US: Cisco CVE-2015-6392 (Cisco NX-OS 4.1 through 7.3 and 11.0 through 11.2 on Nexus 2000, 5000, ...) NOT-FOR-US: Cisco CVE-2015-6391 (Cisco Unified SIP 3905 phones allow remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2015-6390 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Cisco CVE-2015-6389 (Cisco Prime Collaboration Assurance before 11.0 has a hardcoded cmuser ...) NOT-FOR-US: Cisco Prime Collaboration Assurance CVE-2015-6388 (Cisco Unified Computing System (UCS) Central software 1.3(0.1) allows ...) NOT-FOR-US: Cisco CVE-2015-6387 (Cross-site scripting (XSS) vulnerability in Cisco Unified Computing Sy ...) NOT-FOR-US: Cisco CVE-2015-6386 (The passthrough FTP feature on Cisco Web Security Appliance (WSA) devi ...) NOT-FOR-US: Cisco CVE-2015-6385 (The publish-event event-manager feature in Cisco IOS 15.5(2)S and 15.5 ...) NOT-FOR-US: Cisco CVE-2015-6384 (The Cisco WebEx Meetings application before 8.5.1 for Android improper ...) NOT-FOR-US: Cisco CVE-2015-6383 (Cisco IOS XE 15.4(3)S on ASR 1000 devices improperly loads software pa ...) NOT-FOR-US: Cisco CVE-2015-6382 (Cisco ASR 5000 devices with software 16.0(900) allow remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6381 RESERVED CVE-2015-6380 (An unspecified script in the web interface in Cisco Firepower Extensib ...) NOT-FOR-US: Cisco CVE-2015-6379 (The XML parser in the management interface in Cisco Adaptive Security ...) NOT-FOR-US: Cisco CVE-2015-6378 (Cross-site request forgery (CSRF) vulnerability on Cisco DPQ3925 devic ...) NOT-FOR-US: Cisco CVE-2015-6377 (Cisco Virtual Topology System (VTS) 2.0(0) and 2.0(1) allows remote at ...) NOT-FOR-US: Cisco CVE-2015-6376 (Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-6375 (The debug-logging (aka debug cns) feature in Cisco Networking Services ...) NOT-FOR-US: Cisco CVE-2015-6374 (The web interface in Cisco Firepower Extensible Operating System 1.1(1 ...) NOT-FOR-US: Cisco CVE-2015-6373 (Cross-site request forgery (CSRF) vulnerability in Cisco Firepower Ext ...) NOT-FOR-US: Cisco CVE-2015-6372 (Cross-site scripting (XSS) vulnerability in the web-based management i ...) NOT-FOR-US: Cisco CVE-2015-6371 (Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 90 ...) NOT-FOR-US: Cisco CVE-2015-6370 (The Management I/O (MIO) component in Cisco Firepower Extensible Opera ...) NOT-FOR-US: Cisco CVE-2015-6369 (The USB driver in Cisco Firepower Extensible Operating System 1.1(1.16 ...) NOT-FOR-US: Cisco CVE-2015-6368 (Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 90 ...) NOT-FOR-US: Cisco CVE-2015-6367 (Cisco Aironet 1800 devices with software 8.1(131.0) allow remote attac ...) NOT-FOR-US: Cisco CVE-2015-6366 (Cisco IOS 15.2(04)M6 and 15.4(03)S lets physical-interface ACLs supers ...) NOT-FOR-US: Cisco CVE-2015-6365 (Cisco IOS 15.2(04)M and 15.4(03)M lets physical-interface ACLs superse ...) NOT-FOR-US: Cisco CVE-2015-6364 (Cisco Content Delivery System Manager Software 3.2 on Videoscape Distr ...) NOT-FOR-US: Cisco CVE-2015-6363 (Multiple cross-site scripting (XSS) vulnerabilities in the web framewo ...) NOT-FOR-US: Cisco CVE-2015-6362 (The web GUI in Cisco Connected Grid Network Management System (CG-NMS) ...) NOT-FOR-US: Cisco CVE-2015-6361 (The administrative web interface on Cisco DPC3939 (XB3) devices with f ...) NOT-FOR-US: Cisco CVE-2015-6360 (The encryption-processing feature in Cisco libSRTP before 1.5.3 allows ...) {DSA-3539-1 DLA-393-1} [experimental] - srtp 1.5.3~dfsg-1 - srtp 1.4.5~20130609~dfsg-1.2 (bug #807698) NOTE: Fix: https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2 NOTE: Fixup: https://github.com/cisco/libsrtp/commit/be95365fbb4788b688cab7af61c65b7989055fb4 NOTE: Fixup: https://github.com/cisco/libsrtp/commit/be06686c8e98cc7bd934e10abb6f5e971d03f8ee NOTE: Fixup: https://github.com/cisco/libsrtp/commit/cdc69f2acde796a4152a250f869271298abc233f CVE-2015-6359 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) NOT-FOR-US: Cisco IOS CVE-2015-6358 (Multiple Cisco embedded devices use hardcoded X.509 certificates and S ...) NOT-FOR-US: Cisco CVE-2015-6357 (The rule-update feature in Cisco FireSIGHT Management Center (MC) 5.2 ...) NOT-FOR-US: Cisco FireSIGHT CVE-2015-6356 (Cross-site scripting (XSS) vulnerability in the WeChat page in Cisco S ...) NOT-FOR-US: Cisco CVE-2015-6355 (The web interface in Cisco Unified Computing System (UCS) 2.2(5b)A on ...) NOT-FOR-US: Cisco CVE-2015-6354 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSight ...) NOT-FOR-US: Cisco CVE-2015-6353 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSight ...) NOT-FOR-US: Cisco CVE-2015-6352 (Cisco Unified Communications Domain Manager before 10.6(1) provides di ...) NOT-FOR-US: Cisco CVE-2015-6351 (Cisco ASR 5500 System Architecture Evolution (SAE) Gateway devices wit ...) NOT-FOR-US: Cisco CVE-2015-6350 (SQL injection vulnerability in the web framework in Cisco Prime Servic ...) NOT-FOR-US: Cisco CVE-2015-6349 (Cross-site scripting (XSS) vulnerability in the web interface in the S ...) NOT-FOR-US: Cisco CVE-2015-6348 (The report-generation web interface in the Solution Engine in Cisco Se ...) NOT-FOR-US: Cisco CVE-2015-6347 (The Solution Engine in Cisco Secure Access Control Server (ACS) 5.7(0. ...) NOT-FOR-US: Cisco CVE-2015-6346 (Cross-site scripting (XSS) vulnerability in Cisco Secure Access Contro ...) NOT-FOR-US: Cisco CVE-2015-6345 (SQL injection vulnerability in the Solution Engine in Cisco Secure Acc ...) NOT-FOR-US: Cisco CVE-2015-6344 (The web-based GUI in Cisco Adaptive Security Appliance (ASA) CX Contex ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-6343 (The SIP implementation in Cisco IOS 15.5(3)M on Cisco Unified Border E ...) NOT-FOR-US: Cisco CVE-2015-6342 REJECTED CVE-2015-6341 (The Web Management GUI on Cisco Wireless LAN Controller (WLC) devices ...) NOT-FOR-US: Cisco CVE-2015-6340 (The Proxy Mobile IPv6 (PMIPv6) component in the CDMA implementation on ...) NOT-FOR-US: Cisco CVE-2015-6339 REJECTED CVE-2015-6338 REJECTED CVE-2015-6337 (Cross-site scripting (XSS) vulnerability in Cisco Application Policy I ...) NOT-FOR-US: Cisco CVE-2015-6336 (Cisco Aironet 1800 devices with software 7.2, 7.3, 7.4, 8.1(112.3), 8. ...) NOT-FOR-US: Cisco CVE-2015-6335 (The policy implementation in Cisco FireSIGHT Management Center 5.3.1.7 ...) NOT-FOR-US: Cisco CVE-2015-6334 (Cisco ASR 5000 and 5500 devices with software 18.0.0.57828 and 19.0.M0 ...) NOT-FOR-US: Cisco CVE-2015-6333 (Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows ...) NOT-FOR-US: Cisco CVE-2015-6332 (Cisco Prime Infrastructure 2.2 allows remote attackers to cause a deni ...) NOT-FOR-US: Cisco CVE-2015-6331 (SQL injection vulnerability in the web framework in Cisco Prime Collab ...) NOT-FOR-US: Cisco CVE-2015-6330 (Cross-site request forgery (CSRF) vulnerability in Cisco Prime Collabo ...) NOT-FOR-US: Cisco CVE-2015-6329 (SQL injection vulnerability in Cisco Prime Collaboration Provisioning ...) NOT-FOR-US: Cisco CVE-2015-6328 (The web framework in Cisco Prime Collaboration Assurance (PCA) 10.5(1) ...) NOT-FOR-US: Cisco CVE-2015-6327 (The IKEv1 implementation in Cisco Adaptive Security Appliance (ASA) so ...) NOT-FOR-US: Cisco CVE-2015-6326 (Cisco Adaptive Security Appliance (ASA) software 7.2 and 8.2 before 8. ...) NOT-FOR-US: Cisco CVE-2015-6325 (Cisco Adaptive Security Appliance (ASA) software 7.2 and 8.2 before 8. ...) NOT-FOR-US: Cisco CVE-2015-6324 (The DHCPv6 relay implementation in Cisco Adaptive Security Appliance ( ...) NOT-FOR-US: Cisco CVE-2015-6323 (The Admin portal in Cisco Identity Services Engine (ISE) 1.1.x, 1.2.0 ...) NOT-FOR-US: Cisco CVE-2015-6322 (The IPC channel in Cisco AnyConnect Secure Mobility Client 2.0.0343 th ...) NOT-FOR-US: Cisco CVE-2015-6321 (Cisco AsyncOS before 8.5.7-042, 9.x before 9.1.0-032, 9.1.x before 9.1 ...) NOT-FOR-US: Cisco CVE-2015-6320 (The IP ingress packet handler on Cisco Aironet 1800 devices with softw ...) NOT-FOR-US: Cisco CVE-2015-6319 (SQL injection vulnerability in the web-based management interface on C ...) NOT-FOR-US: Cisco CVE-2015-6318 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 ...) NOT-FOR-US: Cisco CVE-2015-6317 (Cisco Identity Services Engine (ISE) before 2.0 allows remote authenti ...) NOT-FOR-US: Cisco CVE-2015-6316 (The default configuration of sshd_config in Cisco Mobility Services En ...) NOT-FOR-US: Cisco CVE-2015-6315 (Cisco Aironet 1850 access points with software 8.1(112.4) allow local ...) NOT-FOR-US: Cisco CVE-2015-6314 (Cisco Wireless LAN Controller (WLC) devices with software 7.6.x, 8.0 b ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2015-6313 (Cisco TelePresence Server 4.1(2.29) through 4.2(4.17) on 7010; Mobilit ...) NOT-FOR-US: Cisco CVE-2015-6312 (Cisco TelePresence Server 3.1 on 7010, Mobility Services Engine (MSE) ...) NOT-FOR-US: Cisco CVE-2015-6311 (Cisco Wireless LAN Controller (WLC) devices with software 7.0(240.0), ...) NOT-FOR-US: Cisco CVE-2015-6310 (The REST interface in Cisco Unified Communications Manager IM and Pres ...) NOT-FOR-US: Cisco CVE-2015-6309 (Cisco Email Security Appliance (ESA) 8.5.6-106 and 9.6.0-042 allows re ...) NOT-FOR-US: Cisco CVE-2015-6308 (Cisco NX-OS 6.0(2)U6(0.46) on N3K devices allows remote authenticated ...) NOT-FOR-US: Cisco CVE-2015-6307 (Cisco FirePOWER (formerly Sourcefire) 7000 and 8000 devices with softw ...) NOT-FOR-US: Cisco CVE-2015-6306 (Cisco AnyConnect Secure Mobility Client 4.1(8) on OS X and Linux does ...) NOT-FOR-US: Cisco CVE-2015-6305 (Untrusted search path vulnerability in the CMainThread::launchDownload ...) NOT-FOR-US: Cisco CVE-2015-6304 (Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-6303 (The Cisco Spark application 2015-07-04 for mobile operating systems do ...) NOT-FOR-US: Cisco CVE-2015-6302 (The RADIUS functionality on Cisco Wireless LAN Controller (WLC) device ...) NOT-FOR-US: Cisco CVE-2015-6301 (The DHCPv6 server in Cisco IOS on ASR 9000 devices with software 5.2.0 ...) NOT-FOR-US: Cisco CVE-2015-6300 (Cisco Secure Access Control Server (ACS) Solution Engine 5.7(0.15) all ...) NOT-FOR-US: Cisco CVE-2015-6299 (SQL injection vulnerability in the web interface in Cisco Unity Connec ...) NOT-FOR-US: Cisco CVE-2015-6298 (The admin web interface in Cisco AsyncOS 8.x before 8.0.8-113, 8.1.x a ...) NOT-FOR-US: Cisco CVE-2015-6297 (The DHCPv6 server in Cisco IOS on ASR 9000 devices with software 5.2.0 ...) NOT-FOR-US: Cisco CVE-2015-6296 (Cisco Prime Network Registrar (CPNR) 8.1(3.3), 8.2(3), and 8.3(2) has ...) NOT-FOR-US: Cisco CVE-2015-6295 (Cisco NX-OS 6.1(2)I3(4) and 7.0(3)I1(1) on Nexus 9000 (N9K) devices al ...) NOT-FOR-US: Cisco CVE-2015-6294 (Cisco IOS 15.2(3)E and earlier and IOS XE 3.6(2)E and earlier allow re ...) NOT-FOR-US: Cisco CVE-2015-6293 (Cisco AsyncOS 8.x before 8.0.8-113, 8.1.x and 8.5.x before 8.5.3-051, ...) NOT-FOR-US: Cisco CVE-2015-6292 (The proxy-cache implementation in Cisco AsyncOS 8.0.x before 8.0.7-151 ...) NOT-FOR-US: Cisco CVE-2015-6291 (Cisco AsyncOS before 8.5.7-043, 9.x before 9.1.1-023, and 9.5.x and 9. ...) NOT-FOR-US: Cisco CVE-2015-6290 (Cisco Web Security Appliance (WSA) 8.0.7 allows remote HTTP servers to ...) NOT-FOR-US: Cisco CVE-2015-6289 (Cisco IOS 15.5(3)M on Integrated Services Router (ISR) 800, 819, and 8 ...) NOT-FOR-US: Cisco CVE-2015-6288 (Cisco Content Security Management Appliance (SMA) 7.8.0-000 does not p ...) NOT-FOR-US: Cisco CVE-2015-6287 (Cisco Web Security Appliance (WSA) 8.0.6-078 and 8.0.6-115 allows remo ...) NOT-FOR-US: Cisco CVE-2015-6286 (Cisco Application Visibility and Control (AVC) 15.3(3)JA, when FlexCon ...) NOT-FOR-US: Cisco CVE-2015-6285 (Format string vulnerability in Cisco Email Security Appliance (ESA) 7. ...) NOT-FOR-US: Cisco Email Security Appliance CVE-2015-6284 (Buffer overflow in the Conference Control Protocol API implementation ...) NOT-FOR-US: Cisco TelePresence Server CVE-2015-6283 REJECTED CVE-2015-6282 (Cisco IOS XE 2.x and 3.x before 3.10.6S, 3.11.xS through 3.13.xS befor ...) NOT-FOR-US: Cisco IOS CVE-2015-6281 RESERVED CVE-2015-6280 (The SSHv2 functionality in Cisco IOS 15.2, 15.3, 15.4, and 15.5 and IO ...) NOT-FOR-US: Cisco IOS CVE-2015-6279 (The IPv6 snooping functionality in the first-hop security subsystem in ...) NOT-FOR-US: Cisco IOS CVE-2015-6278 (The IPv6 snooping functionality in the first-hop security subsystem in ...) NOT-FOR-US: Cisco IOS CVE-2015-6277 (The ARP implementation in Cisco NX-OS on Nexus 1000V devices for VMwar ...) NOT-FOR-US: Cisco CVE-2015-6276 (Cisco TelePresence IX5000 8.0.3 stores a private key associated with a ...) NOT-FOR-US: Cisco TelePresence CVE-2015-6275 RESERVED CVE-2015-6274 (The IPv4 implementation on Cisco ASR 1000 devices with software 15.5(3 ...) NOT-FOR-US: Cisco ASR CVE-2015-6273 (Cisco IOS XE before 3.1.2S on ASR 1000 devices mishandles the automati ...) NOT-FOR-US: Cisco CVE-2015-6272 (Cisco IOS XE 2.1.0 through 2.2.3 and 2.3.0 on ASR 1000 devices, when N ...) NOT-FOR-US: Cisco CVE-2015-6271 (Cisco IOS XE 2.1.0 through 2.4.3 and 2.5.0 on ASR 1000 devices, when N ...) NOT-FOR-US: Cisco CVE-2015-6270 (Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6269 (Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6268 (Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6267 (Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6266 (The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.89 ...) NOT-FOR-US: Cisco CVE-2015-6265 (The CLI in Cisco Application Control Engine (ACE) 4700 A5 3.0 and earl ...) NOT-FOR-US: Cisco CVE-2015-6264 REJECTED CVE-2015-6263 (The RADIUS client implementation in Cisco IOS 15.4(3)M2.2, when a shar ...) NOT-FOR-US: Cisco IOS CVE-2015-6262 (Cross-site request forgery (CSRF) vulnerability in Cisco Prime Infrast ...) NOT-FOR-US: Cisco CVE-2015-6261 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 ...) NOT-FOR-US: Cisco CVE-2015-6260 (Cisco NX-OS 7.1(1)N1(1) on Nexus 5500, 5600, and 6000 devices does not ...) NOT-FOR-US: Cisco CVE-2015-6259 (The JavaServer Pages (JSP) component in Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2015-6258 (The Internet Access Point Protocol (IAPP) module on Cisco Wireless LAN ...) NOT-FOR-US: Cisco CVE-2015-6257 RESERVED CVE-2015-6256 (Cisco ASR 5000 devices with software 19.0.M0.60828 allow remote attack ...) NOT-FOR-US: Cisco Aggregation Services Router CVE-2015-6255 (Cross-site scripting (XSS) vulnerability in Cisco Unified Web and E-Ma ...) NOT-FOR-US: Cisco Unified Web and E-Mail Interaction Manager CVE-2015-6254 (The (1) Service Provider (SP) and (2) Identity Provider (IdP) in Picke ...) NOT-FOR-US: PicketLink CVE-2015-6253 (edx-platform before 2015-08-17 allows XSS in the Studio listing of cou ...) NOT-FOR-US: Open edX CVE-2015-6526 (The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c i ...) - linux 4.1.3-1 [jessie] - linux 3.16.7-ckt11-1 [wheezy] - linux 3.2.71-1 - linux-2.6 [squeeze] - linux-2.6 (powerpc not supported in Squeeze LTS) NOTE: https://www.openwall.com/lists/oss-security/2015/08/18/4 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9a5cbce421a283e6aea3c4007f141735bf9da8c3 (v4.1-rc1) CVE-2015-6252 (The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux ker ...) {DSA-3364-1} - linux 4.1.5-1 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) NOTE: https://lkml.org/lkml/2015/8/10/375 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 (v4.2-rc5) CVE-2015-6239 RESERVED CVE-2015-6238 (Multiple cross-site scripting (XSS) vulnerabilities in the Google Anal ...) NOT-FOR-US: Google Analyticator plugin for WordPress CVE-2015-6237 (The RPC service in Tripwire (formerly nCircle) IP360 VnE Manager 7.2.2 ...) NOT-FOR-US: Tripwire IP360 VnE Manager CVE-2015-6236 REJECTED CVE-2015-6235 REJECTED CVE-2015-6234 REJECTED CVE-2015-6233 REJECTED CVE-2015-6232 REJECTED CVE-2015-6231 REJECTED CVE-2015-6230 REJECTED CVE-2015-6229 REJECTED CVE-2015-6228 REJECTED CVE-2015-6227 REJECTED CVE-2015-6226 REJECTED CVE-2015-6225 REJECTED CVE-2015-6224 REJECTED CVE-2015-6223 REJECTED CVE-2015-6222 REJECTED CVE-2015-6221 REJECTED CVE-2015-6220 REJECTED CVE-2015-6219 REJECTED CVE-2015-6218 REJECTED CVE-2015-6217 REJECTED CVE-2015-6216 REJECTED CVE-2015-6215 REJECTED CVE-2015-6214 REJECTED CVE-2015-6213 REJECTED CVE-2015-6212 REJECTED CVE-2015-6211 REJECTED CVE-2015-6210 REJECTED CVE-2015-6209 REJECTED CVE-2015-6208 REJECTED CVE-2015-6207 REJECTED CVE-2015-6206 REJECTED CVE-2015-6205 REJECTED CVE-2015-6204 REJECTED CVE-2015-6203 REJECTED CVE-2015-6202 REJECTED CVE-2015-6201 REJECTED CVE-2015-6200 REJECTED CVE-2015-6199 REJECTED CVE-2015-6198 REJECTED CVE-2015-6197 REJECTED CVE-2015-6196 REJECTED CVE-2015-6195 REJECTED CVE-2015-6194 REJECTED CVE-2015-6193 REJECTED CVE-2015-6192 REJECTED CVE-2015-6191 REJECTED CVE-2015-6190 REJECTED CVE-2015-6189 REJECTED CVE-2015-6188 REJECTED CVE-2015-6187 REJECTED CVE-2015-6186 REJECTED CVE-2015-6185 REJECTED CVE-2015-6184 (The CAttrArray object implementation in Microsoft Internet Explorer 7 ...) NOT-FOR-US: Microsoft CVE-2015-6183 REJECTED CVE-2015-6182 REJECTED CVE-2015-6181 REJECTED CVE-2015-6180 REJECTED CVE-2015-6179 REJECTED CVE-2015-6178 REJECTED CVE-2015-6177 (Microsoft Excel 2007 SP3, Office Compatibility Pack SP3, and Excel Vie ...) NOT-FOR-US: Microsoft CVE-2015-6176 (Microsoft Edge mishandles HTML attributes in HTTP responses, which all ...) NOT-FOR-US: Microsoft CVE-2015-6175 (The kernel in Microsoft Windows 10 Gold allows local users to gain pri ...) NOT-FOR-US: Microsoft CVE-2015-6174 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2015-6173 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2015-6172 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-6171 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2015-6170 (Microsoft Edge allows remote attackers to gain privileges via a crafte ...) NOT-FOR-US: Microsoft CVE-2015-6169 (Microsoft Edge misparses HTTP responses, which allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2015-6168 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2015-6167 REJECTED CVE-2015-6166 (Microsoft Silverlight 5 before 5.1.41105.00 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2015-6165 (Microsoft Silverlight 5 before 5.1.41105.00 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2015-6164 (Microsoft Internet Explorer 9 through 11 improperly implements a cross ...) NOT-FOR-US: Microsoft CVE-2015-6163 REJECTED CVE-2015-6162 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6161 (Microsoft Internet Explorer 7 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6160 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6159 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6158 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6157 (Microsoft Internet Explorer 11 allows remote attackers to obtain sensi ...) NOT-FOR-US: Microsoft CVE-2015-6156 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6155 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote ...) NOT-FOR-US: Microsoft CVE-2015-6154 (Microsoft Internet Explorer 7 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6153 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6152 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6151 (Microsoft Internet Explorer 8 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6150 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6149 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2015-6148 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6147 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2015-6146 (Microsoft Internet Explorer 7 and 8 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2015-6145 (Microsoft Internet Explorer 7 and 8 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2015-6144 (Microsoft Internet Explorer 8 through 11 and Microsoft Edge mishandle ...) NOT-FOR-US: Microsoft CVE-2015-6143 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6142 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6141 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft CVE-2015-6140 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6139 (Microsoft Internet Explorer 11 and Microsoft Edge mishandle content ty ...) NOT-FOR-US: Microsoft CVE-2015-6138 (Microsoft Internet Explorer 8 through 11 mishandles HTML attributes in ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6137 REJECTED CVE-2015-6136 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsof CVE-2015-6135 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsof CVE-2015-6134 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsof CVE-2015-6133 (Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Win ...) NOT-FOR-US: Microsof CVE-2015-6132 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsof CVE-2015-6131 (Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Wi ...) NOT-FOR-US: Microsof CVE-2015-6130 (Integer underflow in Uniscribe in Microsoft Windows 7 SP1 and Windows ...) NOT-FOR-US: Microsof CVE-2015-6129 REJECTED CVE-2015-6128 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and W ...) NOT-FOR-US: Microsoft Windows CVE-2015-6127 (Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Wi ...) NOT-FOR-US: Windows Media Center CVE-2015-6126 (Race condition in the Pragmatic General Multicast (PGM) protocol imple ...) NOT-FOR-US: Microsoft CVE-2015-6125 (Use-after-free vulnerability in the DNS server in Microsoft Windows Se ...) NOT-FOR-US: Microsoft Windows CVE-2015-6124 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-6123 (Cross-site scripting (XSS) vulnerability in Microsoft Excel for Mac 20 ...) NOT-FOR-US: Microsoft CVE-2015-6122 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel for Mac 2011, Office C ...) NOT-FOR-US: Microsoft CVE-2015-6121 REJECTED CVE-2015-6120 REJECTED CVE-2015-6119 REJECTED CVE-2015-6118 (Microsoft Office 2007 SP3 and Office 2010 SP2 allow remote attackers t ...) NOT-FOR-US: Microsoft Office CVE-2015-6117 (Microsoft SharePoint Server 2013 SP1 and SharePoint Foundation 2013 SP ...) NOT-FOR-US: Microsoft CVE-2015-6116 REJECTED CVE-2015-6115 (Microsoft .NET Framework 2.0 SP2, 3.5, and 3.5.1 allows remote attacke ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-6114 (Microsoft Silverlight 5 before 5.1.41105.00 allows remote attackers to ...) NOT-FOR-US: Microsoft Silverlight CVE-2015-6113 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-6112 (SChannel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R ...) NOT-FOR-US: Microsoft Windows CVE-2015-6111 (IPSec in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold an ...) NOT-FOR-US: Microsoft Windows CVE-2015-6110 REJECTED CVE-2015-6109 (The kernel in Microsoft Windows 8.1, Windows Server 2012 R2, Windows R ...) NOT-FOR-US: Microsoft Windows CVE-2015-6108 (The Windows font library in Microsoft Windows Vista SP2; Windows Serve ...) NOT-FOR-US: Microsoft Windows CVE-2015-6107 (The Windows font library in Microsoft Windows Vista SP2, Windows Serve ...) NOT-FOR-US: Microsoft Windows CVE-2015-6106 (The Windows font library in Microsoft Windows Vista SP2, Windows Serve ...) NOT-FOR-US: Microsoft Windows CVE-2015-6105 REJECTED CVE-2015-6104 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-6103 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-6102 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-6101 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-6100 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-6099 (Cross-site scripting (XSS) vulnerability in ASP.NET in Microsoft .NET ...) NOT-FOR-US: Microsoft .NET CVE-2015-6098 (Buffer overflow in the Network Driver Interface Standard (NDIS) implem ...) NOT-FOR-US: Microsoft Windows CVE-2015-6097 (Heap-based buffer overflow in Windows Journal in Microsoft Windows Vis ...) NOT-FOR-US: Microsoft Windows CVE-2015-6096 (The XML DTD parser in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, ...) NOT-FOR-US: Microsoft .NET CVE-2015-6095 (Kerberos in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R ...) NOT-FOR-US: Microsoft Windows CVE-2015-6094 (Microsoft Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 201 ...) NOT-FOR-US: Microsoft CVE-2015-6093 (Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 20 ...) NOT-FOR-US: Microsoft CVE-2015-6092 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-6091 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-6090 REJECTED CVE-2015-6089 (The Microsoft (1) VBScript and (2) JScript engines, as used in Interne ...) NOT-FOR-US: Microsoft CVE-2015-6088 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6087 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6086 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ob ...) NOT-FOR-US: Microsoft CVE-2015-6085 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft CVE-2015-6084 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft CVE-2015-6083 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6082 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6081 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6080 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6079 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6078 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6077 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6076 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6075 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6074 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6073 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6072 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6071 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6070 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6069 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6068 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6067 REJECTED CVE-2015-6066 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6065 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6064 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote ...) NOT-FOR-US: Microsoft CVE-2015-6063 REJECTED CVE-2015-6062 REJECTED CVE-2015-6061 (Cross-site scripting (XSS) vulnerability in Microsoft Skype for Busine ...) NOT-FOR-US: Microsoft CVE-2015-6060 REJECTED CVE-2015-6059 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsoft CVE-2015-6058 (Microsoft Edge mishandles HTML attributes in HTTP responses, which all ...) NOT-FOR-US: Microsoft Edge CVE-2015-6057 (Microsoft Edge allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Microsoft Edge CVE-2015-6056 (The (1) JScript and (2) VBScript engines in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6055 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsoft CVE-2015-6054 REJECTED CVE-2015-6053 (Microsoft Internet Explorer 11 allows remote attackers to obtain sensi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6052 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsoft CVE-2015-6051 (Microsoft Internet Explorer 10 and 11 allows remote attackers to gain ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6050 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6049 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6048 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6047 (The broker EditWith feature in Microsoft Internet Explorer 8 through 1 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6046 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ob ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6045 (Use-after-free vulnerability in the CElement object implementation in ...) NOT-FOR-US: Microsoft CVE-2015-6044 (Microsoft Internet Explorer 8 allows remote attackers to gain privileg ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6043 REJECTED CVE-2015-6042 (Use-after-free vulnerability in the CWindow object implementation in M ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6041 REJECTED CVE-2015-6040 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel for Mac 2011, Excel 20 ...) NOT-FOR-US: Microsoft CVE-2015-6039 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Serve ...) NOT-FOR-US: Microsoft CVE-2015-6038 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2015-6037 (Cross-site scripting (XSS) vulnerability in Microsoft Excel Services o ...) NOT-FOR-US: Microsoft CVE-2015-6036 (QNAP Signage Station before 2.0.1 allows remote attackers to bypass au ...) NOT-FOR-US: QNAP Signage Station CVE-2015-6035 (Opsview before 2015-11-06 has XSS via SNMP. ...) NOT-FOR-US: Opsview CVE-2015-6034 (EPSON Network Utility 4.10 uses weak permissions (Everyone: Full Contr ...) NOT-FOR-US: Epson CVE-2015-6033 (Qolsys IQ Panel (aka QOL) before 1.5.1 does not verify the digital sig ...) NOT-FOR-US: Qolsys IQ Panel CVE-2015-6032 (Qolsys IQ Panel (aka QOL) before 1.5.1 has hardcoded cryptographic key ...) NOT-FOR-US: Qolsys IQ Panel CVE-2015-6031 (Buffer overflow in the IGDstartelt function in igd_desc_parse.c in the ...) {DSA-3379-1} - miniupnpc 1.9.20140610-2.1 (bug #802650) NOTE: http://talosintel.com/reports/TALOS-2015-0035/ NOTE: https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78 CVE-2015-6030 (HP ArcSight Logger 6.0.0.7307.1, ArcSight Command Center 6.8.0.1896.0, ...) NOT-FOR-US: HP Arcsight Logger CVE-2015-6029 (HP ArcSight Logger before 6.0 P2 does not limit attempts to authentica ...) NOT-FOR-US: HP Arcsight Logger CVE-2015-6028 (Castle Rock Computing SNMPc before 2015-12-17 has SQL injection via th ...) NOT-FOR-US: Castle Rock Computing SNMPc CVE-2015-6027 (Castle Rock Computing SNMPc before 2015-12-17 has XSS via SNMP. ...) NOT-FOR-US: Castle Rock Computing SNMPc CVE-2015-6026 RESERVED CVE-2015-6025 RESERVED CVE-2015-6024 (ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmwar ...) NOT-FOR-US: Qolsys NetCommWireless CVE-2015-6023 (ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmwar ...) NOT-FOR-US: Qolsys NetCommWireless CVE-2015-6022 (Unrestricted file upload vulnerability in QNAP Signage Station before ...) NOT-FOR-US: QNAP Signage Station CVE-2015-6021 (Spiceworks Desktop before 2015-12-01 has XSS via an SNMP response. ...) NOT-FOR-US: Spiceworks Desktop CVE-2015-6020 (ZyXEL PMG5318-B20A devices with firmware 1.00AANC0b5 allow remote auth ...) NOT-FOR-US: ZyXEL CVE-2015-6019 (The management portal on ZyXEL PMG5318-B20A devices with firmware 1.00 ...) NOT-FOR-US: ZyXEL CVE-2015-6018 (The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with ...) NOT-FOR-US: ZyXEL CVE-2015-6017 (Multiple cross-site scripting (XSS) vulnerabilities in Forms/rpAuth_1 ...) NOT-FOR-US: ZyXEL CVE-2015-6016 (ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0), PMG5318-B2 ...) NOT-FOR-US: ZyXEL CVE-2015-6015 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-6014 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-6013 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-6012 (Multiple open redirect vulnerabilities in Web Reference Database (aka ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6011 (Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge b ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6010 (Multiple cross-site scripting (XSS) vulnerabilities in Web Reference D ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6009 (Multiple SQL injection vulnerabilities in Web Reference Database (aka ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6008 (install.php in Web Reference Database (aka refbase) through 0.9.6 allo ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6007 (Cross-site request forgery (CSRF) vulnerability in Web Reference Datab ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6006 (The AddUserFinding implementation in Medicomp MEDCIN Engine 2.22.20153 ...) NOT-FOR-US: Medicomp CVE-2015-6005 (Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsU ...) NOT-FOR-US: IPSwitch CVE-2015-6004 (Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before ...) NOT-FOR-US: IPSwitch CVE-2015-6003 (Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 ...) NOT-FOR-US: QNAP QTS CVE-2015-6002 RESERVED CVE-2015-6001 RESERVED CVE-2015-6000 (Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyD ...) NOT-FOR-US: Vtiger CRM CVE-2015-5999 (Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Li ...) NOT-FOR-US: D-Link DIR-816L Wireless Router CVE-2015-5998 (Impero Education Pro before 5105 relies on the -1|AUTHENTICATE\x02PASS ...) NOT-FOR-US: Impero Education Pro CVE-2015-5997 (Impero Education Pro before 5105 uses a hardcoded CBC key and initiali ...) NOT-FOR-US: Impero Education Pro CVE-2015-5996 (Cross-site request forgery (CSRF) vulnerability on Mediabridge Mediali ...) NOT-FOR-US: Mediabridge Medialink devices CVE-2015-5995 (Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and T ...) NOT-FOR-US: Mediabridge Medialink devices CVE-2015-5994 (The web management interface on Mediabridge Medialink MWN-WAPR300N dev ...) NOT-FOR-US: Mediabridge Medialink devices CVE-2015-5993 (Buffer overflow in form2ping.cgi on Philippine Long Distance Telephone ...) NOT-FOR-US: SpeedSurf CVE-2015-5992 (Cross-site scripting (XSS) vulnerability in form2WlanSetup.cgi on Phil ...) NOT-FOR-US: SpeedSurf CVE-2015-5991 (Cross-site request forgery (CSRF) vulnerability in form2WlanSetup.cgi ...) NOT-FOR-US: SpeedSurf CVE-2015-5990 (Cross-site request forgery (CSRF) vulnerability on Belkin F9K1102 2 de ...) NOT-FOR-US: Belkin devices CVE-2015-5989 (Belkin F9K1102 2 devices with firmware 2.10.17 rely on client-side Jav ...) NOT-FOR-US: Belkin devices CVE-2015-5988 (The web management interface on Belkin F9K1102 2 devices with firmware ...) NOT-FOR-US: Belkin devices CVE-2015-5987 (Belkin F9K1102 2 devices with firmware 2.10.17 use an improper algorit ...) NOT-FOR-US: Belkin devices CVE-2015-6241 (The proto_tree_add_bytes_item function in epan/proto.c in the protocol ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-21.html CVE-2015-6242 (The wmem_block_split_free_chunk function in epan/wmem/wmem_allocator_b ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-22.html CVE-2015-6243 (The dissector-table implementation in epan/packet.c in Wireshark 1.12. ...) {DSA-3367-1 DLA-497-1} - wireshark 1.12.7+g7fc8978-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-23.html CVE-2015-6244 (The dissect_zbee_secure function in epan/dissectors/packet-zbee-securi ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-24.html CVE-2015-6245 (epan/dissectors/packet-gsm_rlcmac.c in the GSM RLC/MAC dissector in Wi ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-25.html CVE-2015-6246 (The dissect_wa_payload function in epan/dissectors/packet-waveagent.c ...) {DSA-3367-1 DLA-497-1} - wireshark 1.12.7+g7fc8978-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-26.html CVE-2015-6247 (The dissect_openflow_tablemod_v5 function in epan/dissectors/packet-op ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-27.html CVE-2015-6248 (The ptvcursor_add function in the ptvcursor implementation in epan/pro ...) {DSA-3367-1 DLA-497-1} - wireshark 1.12.7+g7fc8978-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-28.html CVE-2015-6249 (The dissect_wccp2r1_address_table_info function in epan/dissectors/pac ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-29.html CVE-2015-6250 (simple-php-captcha before commit 9d65a945029c7be7bb6bc893759e74c5636be ...) NOT-FOR-US: simple-php-captcha CVE-2015-5986 (openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x ...) - bind9 (Vulnerable code present only since 9.9.7) NOTE: https://kb.isc.org/article/AA-01291 CVE-2015-6496 (conntrackd in conntrack-tools 1.4.2 and earlier does not ensure that t ...) {DSA-3341-1 DLA-295-1} - conntrack 1:1.4.2-3 (bug #796103) NOTE: https://www.openwall.com/lists/oss-security/2015/08/14/4 NOTE: http://bugzilla.netfilter.org/show_bug.cgi?id=910 NOTE: https://git.netfilter.org/conntrack-tools/commit/?id=c392c159605956c7bd4a264ab4490e2b2704c0cd CVE-2015-5985 REJECTED CVE-2015-5984 REJECTED CVE-2015-5983 REJECTED CVE-2015-5982 REJECTED CVE-2015-5981 REJECTED CVE-2015-5980 REJECTED CVE-2015-5979 REJECTED CVE-2015-5978 REJECTED CVE-2015-5977 REJECTED CVE-2015-5976 REJECTED CVE-2015-5975 REJECTED CVE-2015-5974 REJECTED CVE-2015-5973 REJECTED CVE-2015-5972 REJECTED CVE-2015-5971 REJECTED CVE-2015-5970 (The ChangePassword RPC method in Novell ZENworks Configuration Managem ...) NOT-FOR-US: Novell CVE-2015-5969 (The mysql-systemd-helper script in the mysql-community-server package ...) NOT-FOR-US: SuSE-specific mysql packaging bug CVE-2015-5968 (Cross-site scripting (XSS) vulnerability in Novell Filr 1.2 before Hot ...) NOT-FOR-US: Novell CVE-2015-5967 REJECTED CVE-2015-5966 REJECTED CVE-2015-5965 (The SSL-VPN feature in Fortinet FortiOS before 4.3.13 only checks the ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-6506 (Cross-site scripting (XSS) vulnerability in the cryptography interface ...) {DSA-3335-1} - request-tracker4 4.2.11-2 [jessie] - request-tracker4 4.2.8-3+deb8u1 [wheezy] - request-tracker4 (Vulnerable code not present) NOTE: https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d1c7767d8484c4 NOTE: https://www.openwall.com/lists/oss-security/2015/08/13/8 CVE-2015-6565 (sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY de ...) - openssh (Vulnerable code introduce in V_6_8_P1) NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a NOTE: Issue introduced with https://anongit.mindrot.org/openssh.git/commit/?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2 (V_6_8_P1) NOTE: https://www.openwall.com/lists/oss-security/2015/08/12/1 CVE-2015-6563 (The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD pla ...) {DLA-1500-1} - openssh 1:6.9p1-1 (bug #795711) [wheezy] - openssh (Minor issue) [squeeze] - openssh (Minor issue) NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b NOTE: https://www.openwall.com/lists/oss-security/2015/08/11/9 CVE-2015-6564 (Use-after-free vulnerability in the mm_answer_pam_free_ctx function in ...) {DLA-1500-1} - openssh 1:6.9p1-1 (bug #795711) [wheezy] - openssh (Minor issue) [squeeze] - openssh (Minor issue) NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 NOTE: https://www.openwall.com/lists/oss-security/2015/08/11/9 CVE-2015-6737 (Cross-site scripting (XSS) vulnerability in the Widgets extension for ...) NOT-FOR-US: Widgets extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T88964 CVE-2015-6736 (The Quiz extension for MediaWiki allows remote attackers to cause a de ...) NOT-FOR-US: Quiz extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T97083 CVE-2015-6735 (The reset functionality in the TimedMediaHandler extension for MediaWi ...) NOT-FOR-US: TimedMediaHandler extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T100211 CVE-2015-6734 (Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the ...) - mediawiki-extensions (contrib directory not present) NOTE: https://phabricator.wikimedia.org/T108198 CVE-2015-6733 (GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki be ...) - mediawiki-extensions (contrib directory not present) NOTE: https://phabricator.wikimedia.org/T108198 CVE-2015-6732 (Multiple cross-site scripting (XSS) vulnerabilities in the SemanticFor ...) NOT-FOR-US: SemanticForms extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T103391 NOTE: https://phabricator.wikimedia.org/T103765 NOTE: https://phabricator.wikimedia.org/T103765 CVE-2015-6731 (Multiple cross-site scripting (XSS) vulnerabilities in the SemanticFor ...) NOT-FOR-US: SemanticForms extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T103391 NOTE: https://phabricator.wikimedia.org/T103765 NOTE: https://phabricator.wikimedia.org/T103765 CVE-2015-6730 (Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki bef ...) - mediawiki 1:1.25.5-1 (bug #799096) [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T97391 CVE-2015-6729 (Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki bef ...) - mediawiki (Introduced in 1.21) NOTE: https://phabricator.wikimedia.org/T97391 CVE-2015-6728 (The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1. ...) - mediawiki 1:1.25.5-1 (bug #799096) [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T94116 CVE-2015-6727 (The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.2 ...) - mediawiki 1:1.25.5-1 (bug #799096) [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T106893 NOTE: https://github.com/wikimedia/mediawiki/commit/5faabfa1bbf65536ea36108887040198afcb3c82 CVE-2015-5964 (The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache ...) {DSA-3338-1 DLA-301-1} - python-django 1.7.10-1 (bug #796104) NOTE: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ CVE-2015-5963 (contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1 ...) {DSA-3338-1 DLA-301-1} - python-django 1.7.10-1 (bug #796104) NOTE: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ CVE-2015-5962 (Integer signedness error in the SharedBufferManagerParent::RecvAllocat ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-5961 (The COPPA error page in the Accounts setup dialog in Mozilla Firefox O ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-5960 (Mozilla Firefox OS before 2.2 allows physically proximate attackers to ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-6520 (IPPUSBXD before 1.22 listens on all interfaces, which allows remote at ...) - ippusbxd 1.22-1 (bug #795162) NOTE: https://www.openwall.com/lists/oss-security/2015/08/11/1 NOTE: https://github.com/tillkamppeter/ippusbxd/commit/46844402bca7a38fc224483ba6f0a93c4613203f NOTE: https://github.com/tillkamppeter/ippusbxd/commit/a632841f8e65d402e13e81921515f5a1e2736c82 CVE-2015-XXXX [publicfile-installer: insecure use of /tmp] - publicfile-installer 0.11-1 (bug #795062) CVE-2015-XXXX [net/http: broken trailers don't close a server connection] - golang 2:1.4.3-1 [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/issues/12027 NOTE: https://github.com/golang/go/commit/26049f6f9171d1190f3bbe05ec304845cfe6399f NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/08/06/2 CVE-2015-6251 (Double free vulnerability in GnuTLS before 3.3.17 and 3.4.x before 3.4 ...) {DSA-3334-1} - gnutls28 3.3.17-1 (bug #795068) - gnutls26 (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2015/08/10/1 NOTE: https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12 NOTE: http://www.gnutls.org/security.html#GNUTLS-SA-2015-3 NOTE: _gnutls_x509_dn_to_string() introduced in 3.1.10 via: NOTE: https://gitlab.com/gnutls/gnutls/commit/6be35136333b5d6289f23209cf896e741462909a CVE-2015-5958 (phpFileManager 0.9.8 allows remote attackers to execute arbitrary comm ...) NOT-FOR-US: phpFileManager CVE-2015-5956 (The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7 ...) - typo3-src [wheezy] - typo3-src (See DSA 3314) [squeeze] - typo3-src (not supported in squeeze-lts) NOTE: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/ CVE-2015-5955 (ownCloud iOS app before 3.4.4 does not properly switch state between m ...) NOT-FOR-US: ownCloud iOS app CVE-2015-5954 (The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7 ...) {DSA-3373-1} - owncloud 7.0.7~dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-011 CVE-2015-5953 (Cross-site scripting (XSS) vulnerability in the activity application i ...) {DSA-3373-1} - owncloud 7.0.6+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-010 CVE-2015-5952 (Directory traversal vulnerability in Thomson Reuters for FATCA before ...) NOT-FOR-US: Thomson Reuters FATCA CVE-2015-5951 (A file upload issue exists in the specid parameter in Thomson Reuters ...) NOT-FOR-US: Thomson Reuters FATCA CVE-2015-5950 (The NVIDIA display driver R352 before 353.82 and R340 before 341.81 on ...) - nvidia-graphics-drivers 340.93-1 (bug #800566) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) [squeeze] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx 304.128-5 [jessie] - nvidia-graphics-drivers-legacy-304xx 304.128-1 CVE-2015-5949 (VideoLAN VLC media player 2.2.1 allows remote attackers to cause a den ...) {DSA-3342-1} - vlc 2.2.1-3 (bug #796255) [wheezy] - vlc (Vulnerability introduced by later changes) [squeeze] - vlc (Vulnerability introduced by later changes) NOTE: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd NOTE: http://www.ocert.org/advisories/ocert-2015-009.html CVE-2015-5948 (Race condition in SuiteCRM before 7.2.3 allows remote attackers to exe ...) NOT-FOR-US: SuiteCRM CVE-2015-5947 (SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary cod ...) NOT-FOR-US: SuiteCRM CVE-2015-5946 (Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote aut ...) NOT-FOR-US: SugarCRM CVE-2015-5945 (The Sandbox subsystem in Apple OS X before 10.11.1 allows local users ...) NOT-FOR-US: Apple CVE-2015-5944 (CoreText in Apple OS X before 10.11.1 allows remote attackers to execu ...) NOT-FOR-US: Apple CVE-2015-5943 (SecurityAgent in Apple OS X before 10.11.1 does not prevent synthetic ...) NOT-FOR-US: Apple CVE-2015-5942 (FontParser in Apple iOS before 9.1, OS X before 10.11.1, and watchOS b ...) NOT-FOR-US: Apple CVE-2015-5941 REJECTED CVE-2015-5940 (The Accelerate Framework component in Apple iOS before 9.1 and OS X be ...) NOT-FOR-US: Apple CVE-2015-5939 (ImageIO in Apple iOS before 9.1, OS X before 10.11.1, and watchOS befo ...) NOT-FOR-US: Apple CVE-2015-5938 (ImageIO in Apple OS X before 10.11.1 allows remote attackers to execut ...) NOT-FOR-US: Apple CVE-2015-5937 (ImageIO in Apple iOS before 9.1, OS X before 10.11.1, and watchOS befo ...) NOT-FOR-US: Apple CVE-2015-5936 (ImageIO in Apple iOS before 9.1, OS X before 10.11.1, and watchOS befo ...) NOT-FOR-US: Apple CVE-2015-5935 (ImageIO in Apple iOS before 9.1, OS X before 10.11.1, and watchOS befo ...) NOT-FOR-US: Apple CVE-2015-5934 (Audio in Apple OS X before 10.11.1 allows remote attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5933 (Audio in Apple OS X before 10.11.1 allows remote attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5932 (The kernel in Apple OS X before 10.11.1 allows local users to gain pri ...) NOT-FOR-US: Apple CVE-2015-5931 (WebKit, as used in Apple Safari before 9.0.1 and iTunes before 12.3.1, ...) NOT-FOR-US: Webkit as used by Apple CVE-2015-5930 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-5929 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-5928 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-5927 (FontParser in Apple iOS before 9.1, OS X before 10.11.1, and watchOS b ...) NOT-FOR-US: Apple CVE-2015-5926 (The CoreGraphics component in Apple iOS before 9.1, OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-5925 (The CoreGraphics component in Apple iOS before 9.1, OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-5924 (The OpenGL implementation in Apple iOS before 9.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-5923 (Apple iOS before 9.0.2 does not properly restrict the options availabl ...) NOT-FOR-US: Apple CVE-2015-5922 (Unspecified vulnerability in International Components for Unicode (ICU ...) NOT-FOR-US: Apple CVE-2015-5921 (WebKit in Apple iOS before 9 mishandles "Content-Disposition: attachme ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5920 (The Software Update component in Apple iTunes before 12.3 does not pro ...) NOT-FOR-US: Apple CVE-2015-5919 (GasGauge in Apple watchOS before 2 allows local users to gain privileg ...) NOT-FOR-US: Apple watchOS CVE-2015-5918 (GasGauge in Apple watchOS before 2 allows local users to gain privileg ...) NOT-FOR-US: Apple watchOS CVE-2015-5917 (The glob implementation in tnftpd (formerly lukemftpd), as used in App ...) NOT-FOR-US: Apple CVE-2015-5916 (The Apple Pay component in Apple iOS before 9 allows remote terminals ...) NOT-FOR-US: Apple CVE-2015-5915 (Apple OS X before 10.11 does not ensure that the keychain's lock state ...) NOT-FOR-US: Apple CVE-2015-5914 (The EFI component in Apple OS X before 10.11 allows physically proxima ...) NOT-FOR-US: Apple CVE-2015-5913 (Heimdal, as used in Apple OS X before 10.11, allows remote attackers t ...) NOT-FOR-US: Apple CVE-2015-5912 (The CFNetwork FTPProtocol component in Apple iOS before 9 allows remot ...) NOT-FOR-US: Apple CVE-2015-5911 (Multiple unspecified vulnerabilities in Twisted in Wiki Server in Appl ...) NOT-FOR-US: Apple CVE-2015-5910 (IDE Xcode Server in Apple Xcode before 7.0 does not ensure that server ...) NOT-FOR-US: Apple CVE-2015-5909 (IDE Xcode Server in Apple Xcode before 7.0 does not properly restrict ...) NOT-FOR-US: Apple CVE-2015-5908 REJECTED CVE-2015-5907 (WebKit in Apple iOS before 9 allows man-in-the-middle attackers to con ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5906 (The HTML form implementation in WebKit in Apple iOS before 9 does not ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5905 (Safari in Apple iOS before 9 allows remote attackers to spoof the rela ...) NOT-FOR-US: Apple CVE-2015-5904 (Safari in Apple iOS before 9 allows remote attackers to spoof the rela ...) NOT-FOR-US: Apple CVE-2015-5903 (The kernel in Apple iOS before 9 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-5902 (The debugging feature in the kernel in Apple OS X before 10.11 mismana ...) NOT-FOR-US: Apple CVE-2015-5901 (The Secure Empty Trash feature in Finder in Apple OS X before 10.11 im ...) NOT-FOR-US: Apple CVE-2015-5900 (The protected range register in the EFI component in Apple OS X before ...) NOT-FOR-US: Apple CVE-2015-5899 (libpthread in the kernel in Apple iOS before 9 allows local users to g ...) NOT-FOR-US: Apple CVE-2015-5898 (CFNetwork in Apple iOS before 9 relies on the hardware UID for its cac ...) NOT-FOR-US: Apple CVE-2015-5897 (The Address Book framework in Apple OS X before 10.11 allows local use ...) NOT-FOR-US: Apple CVE-2015-5896 (The kernel in Apple iOS before 9 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-5895 (Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as use ...) NOT-FOR-US: Apple CVE-2015-5894 (The X.509 certificate-trust implementation in Apple OS X before 10.11 ...) NOT-FOR-US: Apple CVE-2015-5893 (SMBClient in SMB in Apple OS X before 10.11 allows local users to obta ...) NOT-FOR-US: Apple CVE-2015-5892 (Siri in Apple iOS before 9 allows physically proximate attackers to by ...) NOT-FOR-US: Apple CVE-2015-5891 (The SMB implementation in the kernel in Apple OS X before 10.11 allows ...) NOT-FOR-US: Apple CVE-2015-5890 (IOGraphics in Apple OS X before 10.11 allows local users to gain privi ...) NOT-FOR-US: Apple CVE-2015-5889 (rsh in the remote_cmds component in Apple OS X before 10.11 allows loc ...) NOT-FOR-US: Apple CVE-2015-5888 (The Install Framework Legacy component in Apple OS X before 10.11 allo ...) NOT-FOR-US: Apple CVE-2015-5887 (The TLS Handshake Protocol implementation in Secure Transport in Apple ...) NOT-FOR-US: Apple CVE-2015-5886 REJECTED CVE-2015-5885 (The CFNetwork Cookies component in Apple iOS before 9 allows remote at ...) NOT-FOR-US: Apple CVE-2015-5884 (The Mail Drop feature in Mail in Apple OS X before 10.11 mishandles en ...) NOT-FOR-US: Apple CVE-2015-5883 (The bidirectional text-display and text-selection implementations in T ...) NOT-FOR-US: Apple CVE-2015-5882 (The processor_set_tasks API implementation in Apple iOS before 9 allow ...) NOT-FOR-US: Apple CVE-2015-5881 REJECTED CVE-2015-5880 (CoreAnimation in Apple iOS before 9 allows attackers to bypass intende ...) NOT-FOR-US: Apple CVE-2015-5879 (XNU in the kernel in Apple iOS before 9 does not properly validate the ...) NOT-FOR-US: Apple CVE-2015-5878 (Notes in Apple OS X before 10.11 misparses links, which allows local u ...) NOT-FOR-US: Apple CVE-2015-5877 (The Intel Graphics Driver component in Apple OS X before 10.11 allows ...) NOT-FOR-US: Apple CVE-2015-5876 (dyld in Dev Tools in Apple iOS before 9 allows attackers to execute ar ...) NOT-FOR-US: Apple CVE-2015-5875 (Cross-site scripting (XSS) vulnerability in Notes in Apple OS X before ...) NOT-FOR-US: Apple CVE-2015-5874 (CoreText in Apple iOS before 9 and iTunes before 12.3 allows remote at ...) NOT-FOR-US: Apple CVE-2015-5873 (IOGraphics in Apple OS X before 10.11 allows local users to gain privi ...) NOT-FOR-US: Apple CVE-2015-5872 (IOGraphics in Apple OS X before 10.11 allows local users to gain privi ...) NOT-FOR-US: Apple CVE-2015-5871 (IOGraphics in Apple OS X before 10.11 allows local users to gain privi ...) NOT-FOR-US: Apple CVE-2015-5870 (The debugging interfaces in the kernel in Apple OS X before 10.11 allo ...) NOT-FOR-US: Apple CVE-2015-5869 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) NOT-FOR-US: Apple CVE-2015-5868 (The kernel in Apple iOS before 9 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-5867 (IOHIDFamily in Apple iOS before 9 allows attackers to execute arbitrar ...) NOT-FOR-US: Apple CVE-2015-5866 (IOHIDFamily in Apple OS X before 10.11 allows attackers to execute arb ...) NOT-FOR-US: Apple CVE-2015-5865 (IOGraphics in Apple OS X before 10.11 allows attackers to obtain sensi ...) NOT-FOR-US: Apple CVE-2015-5864 (IOAudioFamily in Apple OS X before 10.11 allows local users to obtain ...) NOT-FOR-US: Apple CVE-2015-5863 (IOStorageFamily in Apple iOS before 9 does not properly initialize an ...) NOT-FOR-US: Apple CVE-2015-5862 (The Audio component in Apple iOS before 9 allows remote attackers to c ...) NOT-FOR-US: Apple CVE-2015-5861 (SpringBoard in Apple iOS before 9 allows physically proximate attacker ...) NOT-FOR-US: Apple CVE-2015-5860 (The CFNetwork HTTPProtocol component in Apple iOS before 9 mishandles ...) NOT-FOR-US: Apple CVE-2015-5859 (The CFNetwork HTTPProtocol component in Apple iOS before 9 and OS X be ...) NOT-FOR-US: Apple CVE-2015-5858 (The CFNetwork HTTPProtocol component in Apple iOS before 9 allows remo ...) NOT-FOR-US: Apple CVE-2015-5857 (Mail in Apple iOS before 9 allows remote attackers to use an address-b ...) NOT-FOR-US: Apple CVE-2015-5856 (The Application Store component in Apple iOS before 9 allows remote at ...) NOT-FOR-US: Apple CVE-2015-5855 (Apple iOS before 9 allows attackers to discover the e-mail address of ...) NOT-FOR-US: Apple CVE-2015-5854 (The backup implementation in Time Machine in Apple OS X before 10.11 a ...) NOT-FOR-US: Apple CVE-2015-5853 (AirScan in Apple OS X before 10.11 allows man-in-the-middle attackers ...) NOT-FOR-US: Apple CVE-2015-5852 REJECTED CVE-2015-5851 (The convenience initializer in the Multipeer Connectivity component in ...) NOT-FOR-US: Apple CVE-2015-5850 (AppleKeyStore in Apple iOS before 9 allows physically proximate attack ...) NOT-FOR-US: Apple CVE-2015-5849 (The filtering implementation in AppleEvents in Apple OS X before 10.11 ...) NOT-FOR-US: Apple CVE-2015-5848 (IOAcceleratorFamily in Apple iOS before 9 allows local users to gain p ...) NOT-FOR-US: Apple CVE-2015-5847 (The Disk Images component in Apple iOS before 9 allows local users to ...) NOT-FOR-US: Apple CVE-2015-5846 (IOKit in the kernel in Apple iOS before 9 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5845 (IOKit in the kernel in Apple iOS before 9 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5844 (IOKit in the kernel in Apple iOS before 9 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5843 (IOMobileFrameBuffer in Apple iOS before 9 allows local users to gain p ...) NOT-FOR-US: Apple CVE-2015-5842 (XNU in the kernel in Apple iOS before 9 does not properly initialize a ...) NOT-FOR-US: Apple CVE-2015-5841 (The CFNetwork Proxies component in Apple iOS before 9 does not properl ...) NOT-FOR-US: Apple CVE-2015-5840 (The checkint division routines in removefile in Apple iOS before 9 all ...) NOT-FOR-US: Apple CVE-2015-5839 (dyld in Apple iOS before 9 allows attackers to bypass a code-signing p ...) NOT-FOR-US: Apple CVE-2015-5838 (SpringBoard in Apple iOS before 9 does not properly restrict access to ...) NOT-FOR-US: Apple CVE-2015-5837 (PluginKit in Apple iOS before 9 allows attackers to bypass an intended ...) NOT-FOR-US: Apple CVE-2015-5836 (Apple Online Store Kit in Apple OS X before 10.11 improperly validates ...) NOT-FOR-US: Apple CVE-2015-5835 (Apple iOS before 9 allows attackers to obtain sensitive information ab ...) NOT-FOR-US: Apple CVE-2015-5834 (IOAcceleratorFamily in Apple iOS before 9 allows attackers to obtain s ...) NOT-FOR-US: Apple CVE-2015-5833 (The Login Window component in Apple OS X before 10.11 does not ensure ...) NOT-FOR-US: Apple CVE-2015-5832 (The iTunes Store component in Apple iOS before 9 does not properly del ...) NOT-FOR-US: Apple CVE-2015-5831 (NetworkExtension in the kernel in Apple iOS before 9 does not properly ...) NOT-FOR-US: Apple CVE-2015-5830 (The Intel Graphics Driver component in Apple OS X before 10.11 allows ...) NOT-FOR-US: Apple CVE-2015-5829 (Data Detectors Engine in Apple iOS before 9 allows remote attackers to ...) NOT-FOR-US: Apple CVE-2015-5828 (The API in the WebKit Plug-ins component in Apple Safari before 9 does ...) NOT-FOR-US: Apple Safari CVE-2015-5827 (WebKit in Apple iOS before 9 allows remote attackers to bypass the Sam ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5826 (WebKit in Apple iOS before 9 does not properly select the cases in whi ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5825 (WebKit in Apple iOS before 9 does not properly restrict the availabili ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5824 (The NSURL implementation in the CFNetwork SSL component in Apple iOS b ...) NOT-FOR-US: Apple CVE-2015-5823 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5822 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5821 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5820 (WebKit in Apple iOS before 9 allows remote attackers to trigger a dial ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5819 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5818 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5817 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5816 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5815 (WebKit, as used in Apple iTunes before 12.3, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5814 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5813 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5812 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5811 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5810 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5809 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5808 (WebKit, as used in Apple iTunes before 12.3, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5807 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5806 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5805 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5804 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5803 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5802 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5801 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5800 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5799 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5798 (WebKit, as used in Apple iTunes before 12.3, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5797 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5796 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5795 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5794 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5793 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5792 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5791 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5790 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5789 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5788 (The WebKit Canvas implementation in Apple iOS before 9 allows remote a ...) NOT-FOR-US: Apple CVE-2015-5787 (The kernel in Apple iOS before 8.4.1 does not properly restrict debugg ...) NOT-FOR-US: Apple CVE-2015-5786 (Apple QuickTime before 7.7.8 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple CVE-2015-5785 (Apple QuickTime before 7.7.8 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple CVE-2015-5784 (runner in Install.framework in the Install Framework Legacy component ...) NOT-FOR-US: Apple OS X CVE-2015-5783 (IOGraphics in Apple OS X before 10.10.5 allows attackers to execute ar ...) NOT-FOR-US: Apple OS X CVE-2015-5782 (ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 does not pro ...) NOT-FOR-US: Apple OS X CVE-2015-5781 (ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 does not pro ...) NOT-FOR-US: Apple OS X CVE-2015-5780 (The Safari Extensions implementation in Apple Safari before 9 does not ...) NOT-FOR-US: Apple CVE-2015-5779 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: Apple OS X CVE-2015-5778 (CoreMedia Playback in Apple iOS before 8.4.1 and OS X before 10.10.5 a ...) NOT-FOR-US: Apple OS X CVE-2015-5777 (CoreMedia Playback in Apple iOS before 8.4.1 and OS X before 10.10.5 a ...) NOT-FOR-US: Apple OS X CVE-2015-5776 (Libinfo in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remot ...) NOT-FOR-US: Apple CVE-2015-5775 (FontParser in Apple iOS before 8.4.1 and OS X before 10.10.5 allows re ...) NOT-FOR-US: Apple OS X CVE-2015-5774 (Buffer overflow in IOHIDFamily in Apple iOS before 8.4.1 and OS X befo ...) NOT-FOR-US: Apple OS X CVE-2015-5773 (QL Office in Apple iOS before 8.4.1 and OS X before 10.10.5 allows rem ...) NOT-FOR-US: Apple OS X CVE-2015-5772 (Heap-based buffer overflow in SceneKit in Apple OS X before 10.10.5 al ...) NOT-FOR-US: Apple OS X CVE-2015-5771 (Quartz Composer Framework in Apple OS X before 10.10.5 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-5770 (MobileInstallation in Apple iOS before 8.4.1 does not ensure the uniqu ...) NOT-FOR-US: Apple OS X CVE-2015-5769 (The MSVDX driver in Apple iOS before 8.4.1 allows remote attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-5768 (AppleGraphicsControl in Apple OS X before 10.10.5 allows attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-5767 (The user interface in Safari in Apple iOS before 9 allows remote attac ...) NOT-FOR-US: Apple CVE-2015-5766 (Directory traversal vulnerability in Air Traffic in Apple iOS before 8 ...) NOT-FOR-US: Apple OS X CVE-2015-5765 (The user interface in Safari in Apple iOS before 9 allows remote attac ...) NOT-FOR-US: Apple CVE-2015-5764 (The user interface in Safari in Apple iOS before 9 allows remote attac ...) NOT-FOR-US: Apple CVE-2015-5763 (ntfs in Apple OS X before 10.10.5 allows local users to gain privilege ...) NOT-FOR-US: Apple OS X CVE-2015-5762 RESERVED CVE-2015-5761 (CoreText in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remo ...) NOT-FOR-US: Apple OS X CVE-2015-5760 REJECTED CVE-2015-5759 (WebKit in Apple iOS before 8.4.1 allows remote attackers to spoof clic ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5758 (ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remot ...) NOT-FOR-US: Apple OS X CVE-2015-5757 (libpthread in Apple iOS before 8.4.1 and OS X before 10.10.5 allows at ...) NOT-FOR-US: Apple CVE-2015-5756 (FontParser in Apple iOS before 8.4.1 and OS X before 10.10.5 allows re ...) NOT-FOR-US: Apple OS X CVE-2015-5755 (CoreText in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remo ...) NOT-FOR-US: Apple OS X CVE-2015-5754 (Race condition in runner in Install.framework in the Install Framework ...) NOT-FOR-US: Apple OS X CVE-2015-5753 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: Apple OS X CVE-2015-5752 (Backup in Apple iOS before 8.4.1 allows attackers to bypass intended r ...) NOT-FOR-US: Apple OS X CVE-2015-5751 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: Apple OS X CVE-2015-5750 (Data Detectors Engine in Apple OS X before 10.10.5 allows attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-5749 (The Sandbox_profiles component in Apple iOS before 8.4.1 allows attack ...) NOT-FOR-US: Apple OS X CVE-2015-5748 (The kernel in Apple OS X before 10.10.5 does not properly mount HFS vo ...) NOT-FOR-US: Apple OS X CVE-2015-5747 (The fasttrap driver in the kernel in Apple OS X before 10.10.5 allows ...) NOT-FOR-US: Apple OS X CVE-2015-5746 (AppleFileConduit in Apple iOS before 8.4.1 allows attackers to bypass ...) NOT-FOR-US: Apple OS X CVE-2015-5744 RESERVED CVE-2015-5743 RESERVED CVE-2015-5742 (VeeamVixProxy in Veeam Backup & Replication (B&R) before 8.0 u ...) NOT-FOR-US: Veeam CVE-2015-5738 (The RSA-CRT implementation in the Cavium Software Development Kit (SDK ...) - openssl (OpenSSL upstream is not affected) CVE-2015-5959 (Froxlor before 0.9.33.2 with the default configuration/setup might all ...) - froxlor (bug #581792) CVE-2015-5957 (Buffer overflow in the DumpSysVar function in var.c in Remind before 3 ...) {DLA-289-1} - remind 03.01.15-1 (unimportant) NOTE: Non-exploitable starting with Wheezy due to D_FORTIFY_SOURCE CVE-2015-5745 (Buffer overflow in the send_control_msg function in hw/char/virtio-ser ...) {DSA-3349-1 DSA-3348-1} - qemu 1:2.4+dfsg-1a (bug #795087) [wheezy] - qemu 1.1.2+dfsg-6a+deb7u9 [squeeze] - qemu (Vulnerable code introduced later) - qemu-kvm [squeeze] - qemu-kvm (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2015/08/06/3 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=7882080388be5088e72c425b02223c02e6cb4295 (v2.4.0-rc3) NOTE: Introduced in: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=98b19252cf1bd97c54bc4613f3537c5ec0aae263 (v0.13.0-rc0) NOTE: Patch for wheezy needs change since uses iov_from_buf: NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=dcf6f5e15ecee4f593eeacbe0591c1addc004d92 NOTE: iov_* function changed in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2278a69e7020d86a8c73a28474e7709d3e7d5081 (v1.2.0-rc0) CVE-2015-5737 (The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, (4) md ...) NOT-FOR-US: Fortinet CVE-2015-5736 (The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows ...) NOT-FOR-US: Fortinet CVE-2015-5735 (The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4 ...) NOT-FOR-US: Fortinet CVE-2015-5729 (The Soft Access Point (AP) feature in Samsung Smart TVs X10P, X12, X14 ...) NOT-FOR-US: Samsung CVE-2015-5728 RESERVED CVE-2015-5727 (The BER decoder in Botan 1.10.x before 1.10.10 and 1.11.x before 1.11. ...) {DSA-3565-1 DLA-449-1} - botan1.10 1.10.10-1 NOTE: Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11 NOTE: http://botan.randombit.net/security.html CVE-2015-5726 (The BER decoder in Botan 0.10.x before 1.10.10 and 1.11.x before 1.11. ...) {DSA-3565-1 DLA-449-1} - botan1.10 1.10.10-1 NOTE: Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11 NOTE: http://botan.randombit.net/security.html CVE-2015-5725 (SQL injection vulnerability in the offset method in the Active Record ...) - codeigniter (bug #471583) CVE-2015-5741 (The net/http library in net/http/transfer.go in Go before 1.4.3 does n ...) - golang 2:1.4.2-4 (bug #795106) [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f NOTE: https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e CVE-2015-5740 (The net/http library in net/http/transfer.go in Go before 1.4.3 does n ...) - golang 2:1.4.2-4 (bug #795106) [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f NOTE: https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e CVE-2015-5739 (The net/http library in net/textproto/reader.go in Go before 1.4.3 doe ...) - golang 2:1.4.2-4 (bug #795106) [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9 CVE-2015-5724 RESERVED CVE-2015-5722 (buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9. ...) {DSA-3350-1 DLA-308-1} - bind9 1:9.9.5.dfsg-12 NOTE: https://kb.isc.org/article/AA-01287 CVE-2015-5721 (Malware Information Sharing Platform (MISP) before 2.3.90 allows remot ...) NOT-FOR-US: Malware Information Sharing Platform CVE-2015-5720 (Multiple cross-site scripting (XSS) vulnerabilities in the template-cr ...) NOT-FOR-US: Malware Information Sharing Platform CVE-2015-5719 (app/Controller/TemplatesController.php in Malware Information Sharing ...) NOT-FOR-US: Malware Information Sharing Platform CVE-2015-5718 (Stack-based buffer overflow in the handle_debug_network function in th ...) NOT-FOR-US: Websense Content Gateway CVE-2015-5734 (Cross-site scripting (XSS) vulnerability in the legacy theme preview i ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.4+dfsg-1 (bug #794560) NOTE: https://core.trac.wordpress.org/changeset/33549 CVE-2015-5733 (Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessi ...) - wordpress 4.2.4+dfsg-1 (bug #794560) [jessie] - wordpress 4.1+dfsg-1+deb8u1 [wheezy] - wordpress 3.6.1+dfsg-1~deb7u6 [squeeze] - wordpress 3.6.1+dfsg-1~deb6u6 NOTE: For jessie and wheezy the fix was already contained NOTE: in a previous update. The the same was included in NOTE: the fix with cs32176_dashboard_esc_titles NOTE: but the issue apparently later reintroduced NOTE: https://core.trac.wordpress.org/changeset/33540 NOTE: https://core.trac.wordpress.org/changeset/33541 CVE-2015-5732 (Cross-site scripting (XSS) vulnerability in the form function in the W ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.4+dfsg-1 (bug #794560) NOTE: https://core.trac.wordpress.org/changeset/33529 CVE-2015-5731 (Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php i ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.4+dfsg-1 (bug #794560) NOTE: https://core.trac.wordpress.org/changeset/33542 NOTE: https://core.trac.wordpress.org/changeset/33543 CVE-2015-5730 (The sanitize_widget_instance function in wp-includes/class-wp-customiz ...) {DSA-3332-1} - wordpress 4.2.4+dfsg-1 (bug #794560) [squeeze] - wordpress (Vulnerable code introduced later) [wheezy] - wordpress (Vulnerable code introduced later) NOTE: https://core.trac.wordpress.org/changeset/33535 NOTE: https://core.trac.wordpress.org/changeset/33536 CVE-2015-5717 (The Siemens COMPAS Mobile application before 1.6 for Android does not ...) NOT-FOR-US: Siemens CVE-2015-5716 RESERVED CVE-2015-5715 (The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in ...) {DSA-3383-1 DSA-3375-1 DLA-321-1} - wordpress 4.3.1+dfsg-1 (bug #799140) NOTE: https://wordpress.org/news/2015/09/wordpress-4-3-1/ NOTE: https://github.com/WordPress/WordPress/commit/9c57f3a4291f2311ae05f22c10eedeb0f69337ab CVE-2015-5714 (Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 all ...) {DSA-3383-1 DSA-3375-1 DLA-321-1} - wordpress 4.3.1+dfsg-1 (bug #799140) NOTE: https://wordpress.org/news/2015/09/wordpress-4-3-1/ NOTE: https://github.com/WordPress/WordPress/commit/f72b21af23da6b6d54208e5c1d65ececdaa109c8 CVE-2015-5713 (Spotfire Parsing Library and Spotfire Security Filter in TIBCO Spotfir ...) NOT-FOR-US: TIBCO CVE-2015-5712 (Spotfire Parsing Library and Spotfire Security Filter in TIBCO Spotfir ...) NOT-FOR-US: TIBCO CVE-2015-5711 (TIBCO Managed File Transfer Internet Server before 7.2.5, Managed File ...) NOT-FOR-US: TIBCO CVE-2015-5710 RESERVED CVE-2015-5709 RESERVED CVE-2015-5708 RESERVED CVE-2015-5703 (SQL injection vulnerability in the public key discovery API call in Op ...) NOT-FOR-US: Open-Xchange CVE-2015-8395 (PCRE before 8.38 mishandles certain references, which allows remote at ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1594 NOTE: related issue to CVE-2015-8384 and CVE-2015-8392 NOTE: Same fix as used for CVE-2015-8381 CVE-2015-8394 (PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits& ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1589 CVE-2015-8393 (pcregrep in PCRE before 8.38 mishandles the -q option for binary files ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1586 CVE-2015-8392 (PCRE before 8.38 mishandles certain instances of the (?| substring, wh ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1585 NOTE: related issue to CVE-2015-8384 and CVE-2015-8395 CVE-2015-8391 (The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishan ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: Fixed in 8.38 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1579 NOTE: First bad commit: http://vcs.pcre.org/pcre?view=revision&revision=640 CVE-2015-8390 (PCRE before 8.38 mishandles the [: and \\ substrings in character clas ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1578 CVE-2015-8389 (PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related pa ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code not present) [squeeze] - pcre3 (Vulnerable code not present) NOTE: Fixed in 8.38 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1577 NOTE: First bad commit: http://vcs.pcre.org/pcre?view=revision&revision=1440 NOTE: Only after r1577 looks like there is another new issue (stack-buffer-underflow, READ of size 4 when running PoC) CVE-2015-8388 (PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern ...) - pcre3 2:8.35-7 [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1651 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1571 NOTE: Fixed in 8.38 NOTE: Different issue than CVE-2015-5073 but same fixing commit CVE-2015-8387 (PCRE before 8.38 mishandles (?123) subroutine calls and related subrou ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1563 CVE-2015-8386 (PCRE before 8.38 mishandles the interaction of lookbehind assertions a ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: Fixed in 8.38 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1560 NOTE: Reproducer fails starting from at least http://vcs.pcre.org/pcre?view=revision&revision=1379 NOTE: but the patched code is as well already present in wheezy at least. CVE-2015-8385 (PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and rel ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1559 CVE-2015-8384 (PCRE before 8.38 mishandles the /(?J)(?'d'(?'d'\g{d}))/ pattern and re ...) - pcre3 2:8.35-7.2 [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: https://bugs.exim.org/show_bug.cgi?id=1636 NOTE: related issue to CVE-2015-8392 and CVE-2015-8395 NOTE: Fixed in 8.38 NOTE: Fixed by http://vcs.pcre.org/pcre?view=revision&revision=1558 NOTE: Same fixing commit as CVE-2015-3210 but different issues CVE-2015-8383 (PCRE before 8.38 mishandles certain repeated conditional groups, which ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (vulnerable coded introduce in 8.34) [squeeze] - pcre3 (vulnerable code introduced in 8.34) NOTE: Fixed in 8.38 NOTE: https://www.openwall.com/lists/oss-security/2015/11/29/1 NOTE: Fixed by http://vcs.pcre.org/pcre?view=revision&revision=1557 NOTE: Introduced by/first bad commit: http://vcs.pcre.org/pcre?view=revision&revision=1365 CVE-2015-8382 (The match function in pcre_exec.c in PCRE before 8.37 mishandles the / ...) - pcre3 2:8.35-7.2 (bug #794589) [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510 NOTE: https://bugs.exim.org/show_bug.cgi?id=1537 NOTE: Fixed upstream in upstream release pcre-8.37 NOTE: https://www.openwall.com/lists/oss-security/2015/08/04/2 CVE-2015-XXXX [more to CVE-2015-2059] - libidn 1.32-1 [jessie] - libidn 1.29-1+deb8u1 [wheezy] - libidn 1.25-2+deb7u1 [squeeze] - libidn 1.15-2+deb6u2 NOTE: Introduced by fix for CVE-2015-2059 NOTE: https://lists.gnu.org/archive/html/help-libidn/2015-07/msg00026.html NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=58c721ac2dc96bccd737f3f544f3a22a50477bbf NOTE: Testcase: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=c261018477f971d274dee305d27f8bff4afd4238 NOTE: squeeze-tagged entry as temporary workaround until CVE assigned for issue solved in DLA-291-1 CVE-2015-XXXX [Sidekiq::Web lacks CSRF protection] - ruby-sidekiq 3.4.2~dfsg-3 [jessie] - ruby-sidekiq (Minor issue) NOTE: https://github.com/mperham/sidekiq/pull/2422 NOTE: Fixed by https://github.com/mperham/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad NOTE: Fix released in sidekiq 3.4.2 NOTE: Follow-up fix: https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694 NOTE: Follow-up commit not included in 3.4.2~dfsg-1 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/08/01/2 CVE-2015-XXXX [XSS via job arguments display class in Sidekiq::Web] - ruby-sidekiq 3.4.2~dfsg-3 [jessie] - ruby-sidekiq (Minor issue) NOTE: https://github.com/mperham/sidekiq/pull/2309 NOTE: Fixed by https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61 NOTE: Fix released in sidekiq 3.4.0 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/08/01/2 CVE-2015-XXXX [XSS via queue name in Sidekiq::Web] - ruby-sidekiq 3.4.2~dfsg-3 [jessie] - ruby-sidekiq (Minor issue) NOTE: https://github.com/mperham/sidekiq/issues/2330 NOTE: Fixed by https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828 NOTE: Fix released in sidekiq 3.4.0 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/08/01/2 CVE-2015-5707 (Integer overflow in the sg_start_req function in drivers/scsi/sg.c in ...) {DSA-3329-1 DLA-310-1} - linux 4.1.3-1 - linux-2.6 NOTE: https://www.openwall.com/lists/oss-security/2015/08/01/6 NOTE: Probably introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=10db10d144c0248f285242f79daf6b9de6b00a62 (v2.6.28-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=451a2886b6bf90e2fb378f7c46c655450fb96e81 (v4.1-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fdc81f45e9f57858da6351836507fbcf1b7583ee (v4.1-rc1) CVE-2015-5706 (Use-after-free vulnerability in the path_openat function in fs/namei.c ...) - linux 4.0.4-1 [jessie] - linux 3.16.7-ckt11-1+deb8u3 [wheezy] - linux (Introduced in v3.11-rc1) - linux-2.6 (Introduced in v3.11-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/08/01/5 NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=60545d0d4610b02e55f65d141c95b18ccf855b6e (v3.11-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0 (v4.1-rc3) CVE-2015-5702 RESERVED CVE-2015-5705 (Argument injection vulnerability in devscripts before 2.15.7 allows re ...) - devscripts 2.15.8 (bug #794365) [jessie] - devscripts (Vulnerable code not present) [wheezy] - devscripts (Vulnerable code not present) [squeeze] - devscripts (Vulnerable code not present) NOTE: Introduced in https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0 (v2.15.5) CVE-2015-5704 (scripts/licensecheck.pl in devscripts before 2.15.7 allows local users ...) - devscripts 2.15.7 (bug #794260) [jessie] - devscripts (Vulnerable code not present) [wheezy] - devscripts (Vulnerable code not present) [squeeze] - devscripts (Vulnerable code not present) NOTE: Introduced in https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0 (v2.15.5) NOTE: https://www.openwall.com/lists/oss-security/2015/08/01/1 CVE-2015-5699 (The Switch Configuration Tools Backend (clcmd_server) in Cumulus Linux ...) NOT-FOR-US: Cumulus Linux NOTE: https://lists.cumulusnetworks.com/pipermail/cumulus-security-announce/2015-July/000002.html CVE-2015-5698 (Cross-site request forgery (CSRF) vulnerability in the web server on S ...) NOT-FOR-US: Siemens CVE-2015-5696 (Dell Netvault Backup before 10.0.5 allows remote attackers to cause a ...) NOT-FOR-US: Dell Netvault Backup CVE-2015-5693 (The management console on Symantec Web Gateway (SWG) appliances with s ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-5692 (admin_messages.php in the management console on Symantec Web Gateway ( ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-5691 (Multiple cross-site scripting (XSS) vulnerabilities in PHP scripts in ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-5690 (The management console on Symantec Web Gateway (SWG) appliances with s ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-5689 (ghostexp.exe in Ghost Explorer Utility in Symantec Ghost Solutions Sui ...) NOT-FOR-US: Symantec CVE-2015-5695 (Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo doe ...) [experimental] - designate 1:1.0.0~b2-1 - designate 2015.1.0+2015.08.26.git34.9fa07c5798-1 (bug #796108) [jessie] - designate 2014.1-18+deb8u1 CVE-2015-5694 (Designate does not enforce the DNS protocol limit concerning record se ...) [experimental] - designate 1:1.0.0~b2-1 - designate 2015.1.0+2015.08.26.git34.9fa07c5798-1 (bug #796108) [jessie] - designate (Vulnerable code doesn't exist) CVE-2015-5688 (Directory traversal vulnerability in lib/app/index.js in Geddy before ...) NOT-FOR-US: Geddy NOTE: https://github.com/geddy/geddy/issues/697 NOTE: https://github.com/geddy/geddy/pull/699 NOTE: https://nodesecurity.io/advisories/10 CVE-2015-5687 (system/session/drivers/cookie.php in Anchor CMS 0.9.x allows remote at ...) NOT-FOR-US: Anchor CMS CVE-2015-5686 (Parts of the Puppet Enterprise Console 3.x were found to be susceptibl ...) NOT-FOR-US: Puppet Enterprise Console CVE-2015-5685 (The lazy_bdecode function in BitTorrent DHT bootstrap server (bootstra ...) {DLA-312-1} - libtorrent-rasterbar 1.0.6-1 (bug #797046) [jessie] - libtorrent-rasterbar (Minor issue) [wheezy] - libtorrent-rasterbar (Minor issue) NOTE: Even though the CVE mentions BitTorrent DHT Bootstrap server, the vulnerable lazy_bdecode() function is effectively also available in libtorrent-rasterbar in all Debian releases. NOTE: Patch on libtorrent-rasterbar that has been applied in 1.0.6: https://github.com/arvidn/libtorrent/commit/d9945f6f50a8c967888cd9c2ebe65ffbe462056e CVE-2015-5684 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-5683 RESERVED CVE-2015-5682 (upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows re ...) NOT-FOR-US: Powerplay Gallery plugin for WordPress CVE-2015-5681 (Unrestricted file upload vulnerability in upload.php in the Powerplay ...) NOT-FOR-US: Powerplay Gallery plugin for WordPress CVE-2015-5680 RESERVED CVE-2015-5679 RESERVED CVE-2015-5678 RESERVED CVE-2015-5677 (bsnmpd, as used in FreeBSD 9.3, 10.1, and 10.2, uses world-readable pe ...) NOT-FOR-US: bsnmpd CVE-2015-5676 RESERVED CVE-2015-5675 (The sys_amd64 IRET Handler in the kernel in FreeBSD 9.3 and 10.1 allow ...) - kfreebsd-10 10.1~svn274115-10 (unimportant; bug #796996) NOTE: kfreebsd not covered by security support in Jessie - kfreebsd-9 (bug #796997) [wheezy] - kfreebsd-9 (Unsupported in wheezy-lts) - kfreebsd-8 [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, can be fixed in a point release) [squeeze] - kfreebsd-8 (kfreebsd-i386/amd64 not supported in Squeeze LTS) CVE-2015-5674 (The routed daemon in FreeBSD 9.3 before 9.3-RELEASE-p22, 10.2-RC2 befo ...) NOT-FOR-US: routed daemon in FreeBSD CVE-2015-5673 (eventapp/lib/gcloud.rb in the ISUCON5 qualifier portal (aka eventapp) ...) NOT-FOR-US: ISUCON5 qualifier portal CVE-2015-5672 (TYPE-MOON Fate/stay night, Fate/hollow ataraxia, Witch on the Holy Nig ...) NOT-FOR-US: TYPE-MOON CVE-2015-5671 (Techno Project Japan Enisys Gw before 1.4.1 allows remote attackers to ...) NOT-FOR-US: Techno Project Japan Enisys Gw CVE-2015-5670 (Cross-site scripting (XSS) vulnerability in Techno Project Japan Enisy ...) NOT-FOR-US: Techno Project Japan Enisys Gw CVE-2015-5669 (Techno Project Japan Enisys Gw before 1.4.1 allows remote authenticate ...) NOT-FOR-US: Techno Project Japan Enisys Gw CVE-2015-5668 (SQL injection vulnerability in Techno Project Japan Enisys Gw before 1 ...) NOT-FOR-US: Techno Project Japan Enisys Gw CVE-2015-5667 (Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module b ...) {DLA-339-1} - libhtml-scrubber-perl 0.15-1 (bug #803943) [jessie] - libhtml-scrubber-perl 0.11-1+deb8u1 [wheezy] - libhtml-scrubber-perl 0.09-1+deb7u1 NOTE: Upstream fix: https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd CVE-2015-5666 (ANA App for Android 3.1.1 and earlier, and ANA App for iOS 3.3.6 and e ...) NOT-FOR-US: ANA App CVE-2015-5665 (Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11 ...) NOT-FOR-US: LOCKON CVE-2015-5664 (Cross-site scripting (XSS) vulnerability in File Station in QNAP QTS b ...) NOT-FOR-US: QNAP CVE-2015-5663 (The file-execution functionality in WinRAR before 5.30 beta 5 allows l ...) NOT-FOR-US: WinRAR CVE-2015-5662 (Directory traversal vulnerability in Avast before 150918-0 allows remo ...) NOT-FOR-US: Avast CVE-2015-5661 (The SAND STUDIO AirDroid application 1.1.0 and earlier for Android mis ...) NOT-FOR-US: SAND STUDIO AirDroid CVE-2015-5660 (Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2. ...) {DLA-485-1} - extplorer NOTE: http://extplorer.net/news/18 NOTE: http://extplorer.net/projects/extplorer/repository/diff?utf8=%E2%9C%93&rev=242&rev_to=241 CVE-2015-5659 (SQL injection vulnerability in Network Applied Communication Laborator ...) NOT-FOR-US: Network Applied Communication Laboratory Pref Shimane CMS CVE-2015-5658 REJECTED CVE-2015-5657 REJECTED CVE-2015-5656 REJECTED CVE-2015-5655 (The Adways Party Track SDK before 1.6.6 for iOS does not verify X.509 ...) NOT-FOR-US: Adways Party Track SDK CVE-2015-5654 (Cross-site scripting (XSS) vulnerability in Dojo Toolkit before 1.2 al ...) - dojo (Fixed before the first version in Debian) CVE-2015-5653 (Buffer overflow in Canary Labs Trend Web Server before 9.5.2 allows re ...) NOT-FOR-US: Canary Labs Trend Web Server CVE-2015-5652 (Untrusted search path vulnerability in python.exe in Python through 3. ...) NOT-FOR-US: Python on Windows CVE-2015-5651 (Cross-site scripting (XSS) vulnerability in Dotclear before 2.8.1 allo ...) - dotclear (bug #815979) NOTE: http://dotclear.org/blog/post/2015/09/23/Dotclear-2.8.1 CVE-2015-5650 (Directory traversal vulnerability in AjaXplorer 2.0 allows remote atta ...) NOT-FOR-US: AjaXplorer CVE-2015-5649 (Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 mishandles authe ...) NOT-FOR-US: Cybozu Garoon CVE-2015-5648 (SQL injection vulnerability in list.php in phpRechnung before 1.6.5 al ...) NOT-FOR-US: phpRechnung CVE-2015-5647 (The RSS Reader component in Cybozu Garoon 3.x through 3.7.5 and 4.x th ...) NOT-FOR-US: Cybozu Garoon CVE-2015-5646 (Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 allows remote au ...) NOT-FOR-US: Cybozu Garoon CVE-2015-5645 (ICZ MATCHA SNS before 1.3.7 allows remote authenticated users to obtai ...) NOT-FOR-US: ICZ MATCHA CVE-2015-5644 (The installer in ICZ MATCHA SNS before 1.3.7 does not properly configu ...) NOT-FOR-US: ICZ MATCHA CVE-2015-5643 (The installer in ICZ MATCHA INVOICE before 2.5.7 does not properly con ...) NOT-FOR-US: ICZ MATCHA CVE-2015-5642 (Multiple SQL injection vulnerabilities in ICZ MATCHA INVOICE before 2. ...) NOT-FOR-US: ICZ MATCHA CVE-2015-5641 (SQL injection vulnerability in baserCMS before 3.0.8 allows remote aut ...) NOT-FOR-US: baserCMS CVE-2015-5640 (baserCMS before 3.0.8 allows remote authenticated users to modify arbi ...) NOT-FOR-US: baserCMS CVE-2015-5639 (niconico App for iOS before 6.38 does not verify SSL certificates whic ...) NOT-FOR-US: niconico App for iOS CVE-2015-5638 (Directory traversal vulnerability in H2O before 1.4.5 and 1.5.x before ...) - h2o (Fixed before initial upload to Debian) NOTE: https://github.com/h2o/h2o/issues/921 CVE-2015-5637 (The Newphoria Photon application before 1.2 for Android allows attacke ...) NOT-FOR-US: Newphoria CVE-2015-5636 (The Newphoria Reversi application before 1.0.3 for Android and before ...) NOT-FOR-US: Newphoria CVE-2015-5635 (The Newphoria Koritore application before 1.1 for Android and before 1 ...) NOT-FOR-US: Newphoria CVE-2015-5634 (The Newphoria MEGAPHONE MUSIC application before 1.1 for Android and b ...) NOT-FOR-US: Newphoria CVE-2015-5633 (The Newphoria Auction Camera application for iOS and before 1.2 for An ...) NOT-FOR-US: Newphoria CVE-2015-5632 (The runtime engine in the Newphoria applican framework before 1.12.3 f ...) NOT-FOR-US: Newphoria CVE-2015-5631 (Cross-site request forgery (CSRF) vulnerability in the Remote UI on Ca ...) NOT-FOR-US: Canon CVE-2015-5630 (Cross-site scripting (XSS) vulnerability in the NTT Broadband Platform ...) NOT-FOR-US: NTT CVE-2015-5629 (The NTT Broadband Platform Japan Connected-free Wi-Fi application 1.6. ...) NOT-FOR-US: NTT CVE-2015-5628 (Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and ea ...) NOT-FOR-US: Yokogawa CVE-2015-5627 (Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and ea ...) NOT-FOR-US: Yokogawa CVE-2015-5626 (Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and ea ...) NOT-FOR-US: Yokogawa CVE-2015-5625 (Cross-site scripting (XSS) vulnerability in OpenDocMan before 1.3.4 al ...) NOT-FOR-US: OpenDocMan CVE-2015-5624 (Buffer overflow in the ExecCall method in c2lv6.ocx in the FreeBit ELP ...) NOT-FOR-US: FreeBit CVE-2015-5697 (The get_bitmap_file function in drivers/md/md.c in the Linux kernel be ...) {DSA-3329-1 DLA-310-1} - linux 4.1.3-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b6878d9e03043695dbf3fa1caa6dfc09db225b16 (v4.2-rc6) NOTE: https://www.openwall.com/lists/oss-security/2015/07/28/2 CVE-2015-5620 RESERVED CVE-2015-5619 (Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack out ...) - logstash (bug #664841) CVE-2015-5618 (Chiyu BF-630 and BF-630W fingerprint access-control devices allow remo ...) NOT-FOR-US: Chiyu BF-630 and BF-630W fingerprint access-control devices CVE-2015-5617 (SQL injection vulnerability in pub/m_pending_news/delete_pending_news. ...) NOT-FOR-US: Enorth Webpublisher CMS CVE-2015-5616 RESERVED CVE-2015-5615 REJECTED CVE-2015-5614 REJECTED CVE-2015-5613 (Cross-site scripting (XSS) vulnerability in October CMS build 271 and ...) NOT-FOR-US: October CMS CVE-2015-5612 (Cross-site scripting (XSS) vulnerability in October CMS build 271 and ...) NOT-FOR-US: October CMS CVE-2015-5623 (WordPress before 4.2.3 does not properly verify the edit_posts capabil ...) {DSA-3328-1} - wordpress 4.2.3+dfsg-1 [wheezy] - wordpress (Vulnerable code not present) [squeeze] - wordpress (Vulnerable code not present) NOTE: https://core.trac.wordpress.org/changeset/33357 CVE-2015-5622 (Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 all ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.3+dfsg-1 NOTE: https://core.trac.wordpress.org/changeset/33359 CVE-2015-5611 (Unspecified vulnerability in Uconnect before 15.26.1, as used in certa ...) NOT-FOR-US: Uconnect CVE-2015-5610 (The RSM (aka RSMWinService) service in SolarWinds N-Able N-Central bef ...) NOT-FOR-US: SolarWinds CVE-2015-5609 (Absolute path traversal vulnerability in the Image Export plugin 1.1 f ...) NOT-FOR-US: Image Export plugin for WordPress CVE-2015-5608 (Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1. ...) NOT-FOR-US: Joomla! CVE-2015-5606 (Vordel XML Gateway (acquired by Axway) version 7.2.2 could allow remot ...) NOT-FOR-US: Vordel XML Gateway CVE-2015-5605 (The regular-expression implementation in Google V8, as used in Google ...) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2015-5604 RESERVED CVE-2015-5603 (The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows re ...) NOT-FOR-US: HipChat plugin CVE-2015-5602 (sudoedit in Sudo before 1.8.15 allows local users to gain privileges v ...) {DSA-3440-1 DLA-382-1} - sudo 1.8.15-1.1 (bug #804149) NOTE: http://bugzilla.sudo.ws/show_bug.cgi?id=707 NOTE: http://www.sudo.ws/repos/sudo/rev/9636fd256325 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1277426 NOTE: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781 CVE-2015-5601 (edx-platform before 2015-07-20 allows code execution by privileged use ...) NOT-FOR-US: Open edX CVE-2015-5600 (The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH th ...) {DLA-1500-1 DLA-288-1} - openssh 1:6.9p1-1 (bug #793616) [wheezy] - openssh (Minor issue; not in default configurations) NOTE: http://seclists.org/fulldisclosure/2015/Jul/92 NOTE: Affects configurations that have KbdInteractiveAuthentication set NOTE: to yes. Default for KbdInteractiveAuthentication is to use whatever NOTE: value ChallengeResponseAuthentication is set to, which is 'no' in NOTE: default configurations in Debian. CVE-2015-5599 (Multiple SQL injection vulnerabilities in upload.php in the Powerplay ...) NOT-FOR-US: Powerplay Gallery plugin for WordPress CVE-2015-5598 RESERVED CVE-2015-5597 RESERVED CVE-2015-5596 RESERVED CVE-2015-5595 (Cross-site request forgery (CSRF) vulnerability in admin.php in Zenpho ...) NOT-FOR-US: Zenphoto CVE-2015-5594 (The sanitize_string function in ZenPhoto before 1.4.9 utilized the htm ...) NOT-FOR-US: Zenphoto CVE-2015-5593 (The sanitize_string function in Zenphoto before 1.4.9 does not properl ...) NOT-FOR-US: Zenphoto CVE-2015-5592 (Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allow ...) NOT-FOR-US: Zenphoto CVE-2015-5591 (SQL injection vulnerability in Zenphoto before 1.4.9 allow remote admi ...) NOT-FOR-US: Zenphoto CVE-2015-5588 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5587 (Stack-based buffer overflow in Adobe Flash Player before 18.0.0.241 an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5586 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-5585 REJECTED CVE-2015-5584 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5583 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-5582 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5581 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5580 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5579 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5578 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5577 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5576 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5575 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5574 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5573 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5572 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5571 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5570 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5569 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5568 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5567 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5566 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5565 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5564 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5563 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5562 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5561 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5560 (Integer overflow in Adobe Flash Player before 18.0.0.232 on Windows an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5559 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5558 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5557 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5556 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5555 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5554 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5553 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5552 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5551 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5550 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5549 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5548 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5547 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5546 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5545 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5544 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5543 REJECTED CVE-2015-5542 REJECTED CVE-2015-5541 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.232 on ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5540 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5539 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5538 (Multiple unspecified vulnerabilities in Citrix NetScaler Application D ...) NOT-FOR-US: Citrix CVE-2015-5537 (The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2 ...) NOT-FOR-US: Siemens CVE-2015-XXXX [integer overflow] - freexl 1.0.2-1 [jessie] - freexl 1.0.0g-1+deb8u2 [wheezy] - freexl 1.0.0b-1+deb7u2 NOTE: For the issue fixed in DSA-3310-1 not yet CVEified NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/06/7 CVE-2015-XXXX [SQL Injection in host_templates.php] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2584 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection in graph_templates.php] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2583 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection in data_templates.php] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2582 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection in cdef.php] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2580 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection Vulnerability in data sources] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2579 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection Vulnerability in graph items and graph template items] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2574 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-5590 (Stack-based buffer overflow in the phar_fix_filepath function in ext/p ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69923 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f NOTE: Fixed in 5.6.11, 5.4.43 CVE-2015-5589 (The phar_convert_to_other function in ext/phar/phar_object.c in PHP be ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69958 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf NOTE: Fixed in 5.6.11, 5.4.43 CVE-2015-5536 (Belkin N300 Dual-Band Wi-Fi Range Extender with firmware before 1.04.1 ...) NOT-FOR-US: Belkin router CVE-2015-5535 (Cross-site scripting (XSS) vulnerability in the qTranslate plugin 2.5. ...) NOT-FOR-US: qTranslate plugin for wordpress CVE-2015-5534 (Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall b ...) NOT-FOR-US: Oxwall CVE-2015-5533 (SQL injection vulnerability in counter-options.php in the Count Per Da ...) NOT-FOR-US: WordPress plugin count-per-day CVE-2015-5532 (Multiple cross-site scripting (XSS) vulnerabilities in the Paid Member ...) NOT-FOR-US: WordPress plugin paid-memberships-pro CVE-2015-5530 (Multiple cross-site request forgery (CSRF) vulnerabilities in Free Rep ...) NOT-FOR-US: Free Reprintables CVE-2015-5529 (Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintabl ...) NOT-FOR-US: Free Reprintables CVE-2015-5528 (Cross-site scripting (XSS) vulnerability in the save_order function in ...) NOT-FOR-US: save_order function in class-floating-social-bar.php in the Floating Social Bar plugin for WordPress CVE-2015-5527 RESERVED CVE-2015-5526 RESERVED CVE-2015-5525 RESERVED CVE-2015-5524 (An issue was discovered on Samsung mobile devices with KK(4.4) and lat ...) NOT-FOR-US: Samsung mobile devices CVE-2015-5531 (Directory traversal vulnerability in Elasticsearch before 1.6.1 allows ...) - elasticsearch 1.6.1+dfsg-1 (bug #792617) [jessie] - elasticsearch (No longer supported, see DSA 3389) NOTE: https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-released#security CVE-2015-5521 (Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows ...) NOT-FOR-US: BlackCat CMS CVE-2015-5520 (Cross-site scripting (XSS) vulnerability in the Users module in Orchar ...) NOT-FOR-US: Orchard CMS CVE-2015-5519 (Cross-site scripting (XSS) vulnerability in the applyConvolution demo ...) NOT-FOR-US: WideImage CVE-2015-5518 RESERVED CVE-2015-5517 RESERVED CVE-2015-8176 REJECTED CVE-2015-5516 (Memory leak in the last hop kernel module in F5 BIG-IP LTM, GTM, and L ...) NOT-FOR-US: F5 BIG-IP CVE-2015-6240 (The chroot, jail, and zone connection plugins in ansible before 1.9.2 ...) {DLA-1923-1} - ansible 1.9.2+dfsg-1 (low) NOTE: https://www.openwall.com/lists/oss-security/2015/07/14/3 CVE-2015-5515 (The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x- ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5514 (Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5513 (Cross-site scripting (XSS) vulnerability in the Shibboleth authenticat ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5512 (The me aliases module 6.x-2.x before 6.x-2.10 and 7.x-1.x before 7.x-1 ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5511 (The HybridAuth Social Login module 7.x-2.x before 7.x-2.13 for Drupal ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5510 (Open redirect vulnerability in the Content Construction Kit (CCK) 6.x- ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5509 (The Administration Views module 7.x-1.x before 7.x-1.4 for Drupal, whe ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5508 (Cross-site request forgery (CSRF) vulnerability in the XC NCIP Provide ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5507 (Cross-site scripting (XSS) vulnerability in the Inline Entity Form mod ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5506 (The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal doe ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5505 (The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1. ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5504 (SQL injection vulnerability in the Novalnet Payment Module Ubercart mo ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5503 (Open redirect vulnerability in the Chamilo integration module 7.x-1.x ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5502 (The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not prop ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5501 (The Hostmaster (Aegir) module 6.x-2.x before 6.x-2.4 and 7.x-3.x befor ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5500 (Cross-site scripting (XSS) vulnerability in the Navigate module for Dr ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5499 (The Navigate module for Drupal does not properly check permissions, wh ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5498 (The Shipwire API module 7.x-1.x before 7.x-1.03 for Drupal does not ch ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5497 (Cross-site scripting (XSS) vulnerability in the Web Links module 6.x-2 ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5496 (The pass2pdf module for Drupal does not restrict access to generated P ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5495 (Cross-site scripting (XSS) vulnerability in the Mobile sliding menu mo ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5494 (Cross-site scripting (XSS) vulnerability in the Webform Matrix Compone ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5493 (The Entityform Block module 7.x-1.x before 7.x-1.3 for Drupal does not ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5492 (Cross-site scripting (XSS) vulnerability in the Video Consultation mod ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5491 (The Dynamic display block module 7.x-1.x before 7.x-1.1 for Drupal all ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5490 (The _views_fetch_data method in includes/cache.inc in the Views module ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5489 (Cross-site scripting (XSS) vulnerability in the Smart Trim module 7.x- ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5488 (Cross-site scripting (XSS) vulnerability in the MailChimp Signup submo ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5487 (Cross-site scripting (XSS) vulnerability in the Camtasia Relay module ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5486 RESERVED CVE-2015-5485 (Cross-site scripting (XSS) vulnerability in the Event Import page (imp ...) NOT-FOR-US: Event Import page (import-eventbrite-events.php) in the Modern Tribe Eventbrite Tickets plugin for WordPress CVE-2015-5484 (Cross-site scripting (XSS) vulnerability in the Plotly plugin before 1 ...) NOT-FOR-US: Plotly plugin for WordPress CVE-2015-5483 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Priv ...) NOT-FOR-US: Private Only plugin for WordPress CVE-2015-5482 (Directory traversal vulnerability in the GD bbPress Attachments plugin ...) NOT-FOR-US: GD bbPress Attachments plugin for WordPress CVE-2015-5481 (Cross-site scripting (XSS) vulnerability in forms/panels.php in the GD ...) NOT-FOR-US: GD bbPress Attachments plugin for WordPress CVE-2015-5480 RESERVED CVE-2015-5479 (The ff_h263_decode_mba function in libavcodec/ituh263dec.c in Libav be ...) {DLA-644-1} - ffmpeg (Vulnerable code not present) [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav (low) [jessie] - libav 6:11.6-1~deb8u1 [wheezy] - libav (Minor issue, can be fixed along in a future DSA) NOTE: Patch in libav: https://git.libav.org/?p=libav.git;a=commit;h=0a49a62f998747cfa564d98d36a459fe70d3299b NOTE: Fixed in libav 11.5 CVE-2015-5478 RESERVED CVE-2015-5477 (named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allo ...) {DSA-3319-1 DLA-285-1} - bind9 1:9.9.5.dfsg-11 (bug #793903) NOTE: https://kb.isc.org/article/AA-01272/0 CVE-2015-5476 RESERVED CVE-2015-5475 (Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker ...) {DSA-3335-1} - request-tracker4 4.2.11-2 NOTE: https://github.com/bestpractical/rt/commit/67d517ba3421ba462e349c73207a627d137ef8ac (4.2.x) NOTE: https://github.com/bestpractical/rt/commit/4ec786bb4743f67a35a634c1bf43b13d3d3b39a9 (4.0.x) CVE-2015-5474 (BitTorrent and uTorrent allow remote attackers to inject command line ...) NOT-FOR-US: uTorrent CVE-2015-5473 (Multiple directory traversal vulnerabilities in Samsung SyncThru 6 bef ...) NOT-FOR-US: Samsung CVE-2015-5472 (Absolute path traversal vulnerability in lib/download.php in the IBS M ...) NOT-FOR-US: IBS Mappro plugin for WordPress CVE-2015-5471 (Absolute path traversal vulnerability in include/user/download.php in ...) NOT-FOR-US: Swim Team plugin for WordPress CVE-2015-5469 (Absolute path traversal vulnerability in the MDC YouTube Downloader pl ...) NOT-FOR-US: MDC YouTube Downloader plugin for WordPress CVE-2015-5468 (Directory traversal vulnerability in the WP e-Commerce Shop Styling pl ...) NOT-FOR-US: Commerce Shop Styling plugin for WordPress CVE-2015-5467 RESERVED CVE-2015-5466 (Silicon Integrated Systems XGI WindowsXP Display Manager (aka XGI VGA ...) NOT-FOR-US: Silicon Integrated Systems XGI WindowsXP Display Manager CVE-2015-5465 (Silicon Integrated Systems WindowsXP Display Manager (aka VGA Driver M ...) NOT-FOR-US: Silicon Integrated Systems CVE-2015-5464 (The Gemalto SafeNet Luna HSM allows remote authenticated users to bypa ...) NOT-FOR-US: Gemalto CVE-2015-5463 (AxiomSL's Axiom java applet module (used for editing uploaded Excel fi ...) NOT-FOR-US: AxiomSL's Axiom CVE-2015-5462 (AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier allows rem ...) NOT-FOR-US: AxiomSL's Axiom CVE-2015-5607 (Cross-site request forgery in the REST API in IPython 2 and 3. ...) - ipython 2.4.1-1 (bug #793123) [jessie] - ipython (Minor issue) [wheezy] - ipython (Minor issue) [squeeze] - ipython (Vulnerable code not present) NOTE: https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 (2.x) NOTE: https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 (3.x) NOTE: Affected versions: 0.12 <= version <= 3.2.0 NOTE: https://www.openwall.com/lists/oss-security/2015/07/12/4 CVE-2015-5461 (Open redirect vulnerability in the Redirect function in stageshow_redi ...) NOT-FOR-US: Redirect function in stageshow_redirect.php in the StageShow plugin for WordPress CVE-2015-5460 (Cross-site scripting (XSS) vulnerability in app/views/events/_menu.htm ...) NOT-FOR-US: Snorby CVE-2015-5459 (SQL injection vulnerability in the AdvanceSearch.class in AdventNetPas ...) NOT-FOR-US: Password Manager Pro CVE-2015-5458 (Session fixation vulnerability in fileupload.php in PivotX before 2.3. ...) NOT-FOR-US: PivotX CVE-2015-5457 (PivotX before 2.3.11 does not validate the new file extension when ren ...) NOT-FOR-US: PivotX CVE-2015-5456 (Cross-site scripting (XSS) vulnerability in the form method in modules ...) NOT-FOR-US: PivotX CVE-2015-5455 (Cross-site scripting (XSS) vulnerability in X-Cart 4.5.0 and earlier a ...) NOT-FOR-US: X-cart CVE-2015-5454 (Cross-site scripting (XSS) vulnerability in Nucleus CMS allows remote ...) NOT-FOR-US: Nucleus CMS CVE-2015-5453 (Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authentic ...) NOT-FOR-US: Watchguard XCS CVE-2015-5452 (SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before buil ...) NOT-FOR-US: Watchguard XCS CVE-2015-5451 (Cross-site request forgery (CSRF) vulnerability in HP Operations Orche ...) NOT-FOR-US: HP Operations Orchestration Central CVE-2015-5450 REJECTED CVE-2015-5449 REJECTED CVE-2015-5448 (HP Asset Manager 9.40 and 9.41 before 9.41.11103 P4-rev1 and 9.50 befo ...) NOT-FOR-US: HP Asset Manager CVE-2015-5447 (Cross-site scripting (XSS) vulnerability in HP StoreOnce Backup system ...) NOT-FOR-US: HP StoreOnce Backup CVE-2015-5446 (HP StoreOnce Backup system software before 3.13.1 allows remote attack ...) NOT-FOR-US: HP StoreOnce Backup CVE-2015-5445 (Cross-site request forgery (CSRF) vulnerability in HP StoreOnce Backup ...) NOT-FOR-US: HP StoreOnce Backup CVE-2015-5444 (Multiple cross-site scripting (XSS) vulnerabilities in HP Smart Profil ...) NOT-FOR-US: SPS DAL CVE-2015-5443 (HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (G ...) NOT-FOR-US: HP CVE-2015-5442 (Unspecified vulnerability in HP Software Update before 5.005.002.002 a ...) NOT-FOR-US: HP Software Update CVE-2015-5441 (Multiple cross-site scripting (XSS) vulnerabilities in HP ArcSight Man ...) NOT-FOR-US: HP Arcsight CVE-2015-5440 (HP UCMDB 10.00 and 10.01 before 10.01CUP12, 10.10 and 10.11 before 10. ...) NOT-FOR-US: HP UCMDB CVE-2015-5439 REJECTED CVE-2015-5438 REJECTED CVE-2015-5437 REJECTED CVE-2015-5436 (A potential security vulnerability has been identified with HP Integra ...) NOT-FOR-US: HP CVE-2015-5435 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 3 ...) NOT-FOR-US: HP CVE-2015-5434 (HPE Networking Products, originally branded as Comware 5, Comware 7, H ...) NOT-FOR-US: HP H3C CVE-2015-5433 (HP Virtual Connect Enterprise Manager (VCEM) SDK before 7.5.0, as used ...) NOT-FOR-US: HP Virtual Connect Enterprise Manager CVE-2015-5432 (HP Virtual Connect Enterprise Manager (VCEM) SDK before 7.5.0, as used ...) NOT-FOR-US: HP Virtual Connect Enterprise Manager CVE-2015-5431 (HP Matrix Operating Environment before 7.5.0 allows remote authenticat ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5430 (HP Matrix Operating Environment before 7.5.0 allows remote attackers t ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5429 (HP Matrix Operating Environment before 7.5.0 allows remote attackers t ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5428 (HP Matrix Operating Environment before 7.5.0 allows remote attackers t ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5427 (HP Matrix Operating Environment before 7.5.0 allows remote attackers t ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5426 (Unspecified vulnerability in HP LoadRunner Controller before 12.50 all ...) NOT-FOR-US: HP LoadRunner CVE-2015-5425 REJECTED CVE-2015-5424 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5423 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5422 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5421 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5420 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5419 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5418 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5417 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5416 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5415 REJECTED CVE-2015-5414 REJECTED CVE-2015-5413 (HP Version Control Repository Manager (VCRM) before 7.5.0 allows remot ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5412 (Cross-site request forgery (CSRF) vulnerability in HP Version Control ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5411 (HP Version Control Repository Manager (VCRM) before 7.5.0 allows remot ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5410 (HP Version Control Repository Manager (VCRM) before 7.5.0 allows remot ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5409 (Buffer overflow in HP Version Control Repository Manager (VCRM) before ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5408 (HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView ...) NOT-FOR-US: HP CentralView Fraud Risk Management CVE-2015-5407 (HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView ...) NOT-FOR-US: HP CentralView Fraud Risk Management CVE-2015-5406 (HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView ...) NOT-FOR-US: HP CentralView Fraud Risk Management CVE-2015-5405 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-5404 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-5403 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-5402 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-5401 (Teradata Gateway before 15.00.03.02-1 and 15.10.x before 15.10.00.01-1 ...) NOT-FOR-US: Teradata CVE-2015-5399 (Cross-site scripting (XSS) vulnerability in PHPVibe before 4.21 allows ...) NOT-FOR-US: PHPVibe CVE-2015-5398 RESERVED CVE-2015-5397 (Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 throu ...) NOT-FOR-US: Joomla! CVE-2015-5396 RESERVED CVE-2015-5394 RESERVED CVE-2015-5393 RESERVED CVE-2015-5392 RESERVED CVE-2015-5391 RESERVED CVE-2015-5390 RESERVED CVE-2015-5389 RESERVED CVE-2015-5388 RESERVED CVE-2015-5387 RESERVED CVE-2015-5386 (Siemens SICAM MIC devices with firmware before 2404 allow remote attac ...) NOT-FOR-US: Siemens CVE-2015-5385 RESERVED CVE-2015-5384 (AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier is vulnera ...) NOT-FOR-US: AxiomSL's Axiom CVE-2015-5379 (Cross-site scripting (XSS) vulnerability in actions.hsp in the Ajax We ...) NOT-FOR-US: Axigen CVE-2015-5378 (Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attac ...) - logstash (bug #664841) CVE-2015-5377 (** DISPUTED ** Elasticsearch before 1.6.1 allows remote attackers to e ...) - elasticsearch 1.6.1+dfsg-1 (bug #792617) [jessie] - elasticsearch (No longer supported, see DSA 3389) NOTE: https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-released#security CVE-2015-5376 (SQL injection vulnerability in the login form in GSI WiNPAT Portal 3.2 ...) NOT-FOR-US: GSI WiNPAT Portal CVE-2015-5375 (Cross-site scripting (XSS) vulnerability in unspecified dialogs for pr ...) NOT-FOR-US: Open-Xchange CVE-2015-5374 (A vulnerability has been identified in Firmware variant PROFINET IO fo ...) NOT-FOR-US: Siemens CVE-2015-5373 RESERVED CVE-2015-5372 (The SAML 2.0 implementation in AdNovum nevisAuth 4.13.0.0 before 4.18. ...) NOT-FOR-US: AdNovum nevisAuth CVE-2015-5371 (The AuthenticationFilter class in SolarWinds Storage Manager allows re ...) NOT-FOR-US: SolarWinds CVE-2015-5370 (Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before ...) {DSA-3548-1} - samba 2:4.3.7+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-5370.html CVE-2015-5369 (Pulse Connect Secure (aka PCS and formerly Juniper PCS) PSC6000, PCS65 ...) NOT-FOR-US: Pulse Connect Secure / Juniper PCS CVE-2015-5368 (The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00. ...) NOT-FOR-US: HP CVE-2015-5367 (The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00. ...) NOT-FOR-US: HP CVE-2015-8041 (Multiple integer overflows in the NDEF record parser in hostapd before ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #795740) - wpasupplicant [squeeze] - wpasupplicant (0.7.0-v2.4 with with CONFIG_WPS_NFC=y) - hostapd [squeeze] - hostapd (v0.7.0-v2.4 with CONFIG_WPS_NFC=y) NOTE: https://www.openwall.com/lists/oss-security/2015/07/08/3 NOTE: http://w1.fi/security/2015-5/ CVE-2015-5395 (Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. ...) - sogo 3.2.4-0.2 (bug #796197) [wheezy] - sogo (not supported in Wheezy LTS) NOTE: https://lists.debian.org/debian-lts/2016/05/msg00197.html NOTE: https://www.openwall.com/lists/oss-security/2015/07/07/10 NOTE: http://www.sogo.nu/bugs/view.php?id=3246 NOTE: https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711 (SOGo-3.1.0) CVE-2015-5470 (The label decompression functionality in PowerDNS Recursor before 3.6. ...) {DSA-3307-1 DSA-3306-1} - pdns 3.4.5-1 [wheezy] - pdns (3.2 and up affected) [squeeze] - pdns (3.2 and up affected) - pdns-recursor 3.7.3-1 [wheezy] - pdns-recursor (3.5 and up affected) [squeeze] - pdns-recursor (3.5 and up affected) NOTE: https://www.openwall.com/lists/oss-security/2015/07/07/6 NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ NOTE: Patch: http://downloads.powerdns.com/patches/2015-01/rec-3.7.2.patch CVE-2015-5383 (Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain ...) - roundcube (protection is done in apache config in binary package) NOTE: https://www.openwall.com/lists/oss-security/2015/07/06/10 NOTE: http://trac.roundcube.net/ticket/1490378 CVE-2015-5382 (program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 ...) - roundcube 1.1.2+dfsg.1-1 (bug #791643) [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2015/07/06/10 NOTE: http://trac.roundcube.net/ticket/1490379 CVE-2015-5381 (Cross-site scripting (XSS) vulnerability in program/include/rcmail.php ...) - roundcube 1.1.2+dfsg.1-1 (bug #791643) [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2015/07/06/10 NOTE: http://trac.roundcube.net/ticket/1490417 CVE-2015-5400 (Squid before 3.5.6 does not properly handle CONNECT method peer respon ...) {DSA-3327-1 DLA-286-1} - squid 4.1-1 [wheezy] - squid (Fix is hard to backport and default configuration is not affected) [squeeze] - squid (Fix is hard to backport and default configuration is not affected) - squid3 3.5.6-1 (bug #793128) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch (3.5) NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch (3.4) NOTE: http://www.squid-cache.org/Advisories/SQUID-2015_2.txt NOTE: https://www.openwall.com/lists/oss-security/2015/07/06/8 NOTE: In squeeze's squid3 the code is structured differently but the bug still appears to be present. NOTE: For squid 2.x all versions are affected, cf. comment by upstream in NOTE: https://bugs.debian.org/793128#12 CVE-2015-5380 (The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in ...) - nodejs (Only affects 0.12.x) NOTE: https://www.openwall.com/lists/oss-security/2015/07/05/1 CVE-2015-5365 (Cross-site scripting (XSS) vulnerability in Zurmo CRM 3.0.2 allows rem ...) NOT-FOR-US: Zurmo CRM CVE-2015-5363 (The SRX Network Security Daemon (nsd) in Juniper SRX Series services g ...) NOT-FOR-US: Juniper CVE-2015-5362 (The BFD daemon in Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 ...) NOT-FOR-US: Juniper CVE-2015-5361 (Background For regular, unencrypted FTP traffic, the FTP ALG can inspe ...) NOT-FOR-US: Juniper CVE-2015-5360 (IPv6 sendd in Juniper Junos 12.1X44 before 12.1X44-D51, 12.1X46 before ...) NOT-FOR-US: Juniper CVE-2015-5359 (Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 before 12.1X46-D3 ...) NOT-FOR-US: Juniper CVE-2015-5358 (Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 before 12.1X46-D3 ...) NOT-FOR-US: Juniper CVE-2015-5357 (The Juniper EX4600, QFX3500, QFX3600, and QFX5100 switches with Junos ...) NOT-FOR-US: Juniper CVE-2015-5356 (Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in G ...) NOT-FOR-US: GetSimple CMS CVE-2015-5355 (Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS b ...) NOT-FOR-US: GetSimple CMS CVE-2015-5354 (Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote a ...) NOT-FOR-US: Novius OS CVE-2015-5353 (Directory traversal vulnerability in Novius OS 5.0.1 (Elche) allows re ...) NOT-FOR-US: Novius OS CVE-2015-5351 (The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.32-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 7.0.68, 8.0.32, 9.0.0.M3 NOTE: Upstream advisory does not make reference to 6.x but looking at the NOTE: upstream patches reveals that this issue is fixed since 6.0.45 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1720661 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1720663 CVE-2015-5350 (In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered ...) NOT-FOR-US: Cloud Foundry CVE-2015-5349 (The CSV export in Apache LDAP Studio and Apache Directory Studio befor ...) - apache-directory-server (Fixed before initial upload to Debian) CVE-2015-5348 (Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x be ...) NOT-FOR-US: Apache Camel CVE-2015-5347 (Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScrip ...) NOT-FOR-US: Apache Wicket CVE-2015-5346 (Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.30-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs [squeeze] - tomcat6 (Minor issue, very unlikely to exploit) NOTE: Fixed in 7.0.67, 8.0.30, 9.0.0.M3 NOTE: https://svn.apache.org/viewvc?view=revision&revision=1713187 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1713185 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1723506 CVE-2015-5345 (The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7. ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.30-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.67, 8.0.30, 9.0.0.M3 CVE-2015-5344 (The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x b ...) NOT-FOR-US: Apache Camel CVE-2015-5343 (Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, ...) {DSA-3424-1} - subversion 1.9.3-1 [wheezy] - subversion (Vulnerable code not present) [squeeze] - subversion (Vulnerable code not present) NOTE: https://subversion.apache.org/security/CVE-2015-5343-advisory.txt CVE-2015-5342 (The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5341 (mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5340 (Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2. ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5339 (The core_enrol_get_enrolled_users web service in enrol/externallib.php ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5338 (Multiple cross-site request forgery (CSRF) vulnerabilities in the less ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5337 (Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2. ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5336 (Multiple cross-site scripting (XSS) vulnerabilities in the survey modu ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5335 (Cross-site request forgery (CSRF) vulnerability in admin/registration/ ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5334 (Off-by-one error in the OBJ_obj2txt function in LibreSSL before 2.3.1 ...) - libressl (bug #754513) CVE-2015-5333 (Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 allow ...) - libressl (bug #754513) CVE-2015-5332 (Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote ...) - moodle (Only affects 2.8 and later) CVE-2015-5331 (Moodle 2.9.x before 2.9.3 does not properly check the contact list bef ...) - moodle (Only affects 2.9 and later) CVE-2015-5330 (ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4 ...) {DSA-3433-1} - samba 2:4.1.22+dfsg-1 [wheezy] - samba (Only affects 4.0.0 to 4.3.2) [squeeze] - samba (Only affects 4.0.0 to 4.3.2) - ldb 2:1.1.24-1 [jessie] - ldb 2:1.1.17-2+deb8u1 [wheezy] - ldb (Minor issue, only relevant in conjunction with Samba 4, which isn't in wheezy) [squeeze] - ldb (Minor issue) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=1aef718f3cc175d90d40202a333042a38ba382b1 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=7bcac237656083e67bbac9b50be9b319bb2d7eb8 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=5f3c7541c2f10ac2174538288f6569af587d69f0 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=a561ae6294fa926bf3a15b9aaf3d18d25d5e971f (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=f07626d0297ed6bd21623409e1ea1ae1138d23a8 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=83f1d39cd9ab9b8b548602f9ee806a994fca9d0c (v4-1-stable) NOTE: https://www.samba.org/samba/security/CVE-2015-5330.html NOTE: Samba update needs as well fixed ldb CVE-2015-5329 (The TripleO Heat templates (tripleo-heat-templates), as used in Red Ha ...) - tripleo-heat-templates 5.2.0-1 (bug #851396) CVE-2015-5328 RESERVED CVE-2015-5327 (Out-of-bounds memory read in the x509_decode_time function in x509_cer ...) - linux (Only affected 4.3-rc1 onwards) - linux-2.6 (Only affected 4.3-rc1 onwards) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cc25b994acfbc901429da682d0f73c190e960206 (v4.4-rc1) CVE-2015-5326 (Cross-site scripting (XSS) vulnerability in the slave overview page in ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5325 (Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5324 (Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5323 (Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict a ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5322 (Directory traversal vulnerability in Jenkins before 1.638 and LTS befo ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5321 (The sidepanel widgets in the CLI command overview and help pages in Je ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5320 (Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5319 (XML external entity (XXE) vulnerability in the create-job CLI command ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5318 (Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5317 (The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5316 (The eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c in ...) {DSA-3397-1} - wpa 2.3-2.3 (bug #804710) [wheezy] - wpa (v2.3-v2.5 with CONFIG_EAP_PWD=y) - wpasupplicant (v2.3-v2.5 with CONFIG_EAP_PWD=y) - hostapd (v2.3-v2.5 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-8/ NOTE: https://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt NOTE: https://w1.fi/security/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch CVE-2015-5315 (The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2 ...) {DSA-3397-1} - wpa 2.3-2.3 (bug #804708) [wheezy] - wpa (v2.0-v2.5 with CONFIG_EAP_PWD=y) - wpasupplicant (v2.0-v2.5 with CONFIG_EAP_PWD=y) - hostapd (v2.0-v2.5 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-7/ NOTE: https://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt NOTE: https://w1.fi/security/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch CVE-2015-5314 (The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd ...) {DSA-3397-1} - wpa 2.3-2.3 (bug #804708) [wheezy] - wpa (v2.0-v2.5 with CONFIG_EAP_PWD=y) - wpasupplicant (v2.0-v2.5 with CONFIG_EAP_PWD=y) - hostapd (v2.0-v2.5 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-7/ NOTE: https://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt NOTE: https://w1.fi/security/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch CVE-2015-5313 (Directory traversal vulnerability in the virStorageBackendFileSystemVo ...) - libvirt 1.3.0-1 (bug #808273) [jessie] - libvirt 1.2.9-9+deb8u2 [wheezy] - libvirt (Vulnerable code introduced later) [squeeze] - libvirt (Vulnerable code introduced later) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=034e47c338b13a95cf02106a3af912c1c5f818d7 NOTE: Broken by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c930410bebae0a45889b992a7932c663b06cbbcd (v1.1.0-rc1) NOTE: http://security.libvirt.org/2015/0004.html CVE-2015-5312 (The xmlStringLenDecodeEntities function in parser.c in libxml2 before ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756733 (upstream bug not yet open) CVE-2015-5311 (PowerDNS (aka pdns) Authoritative Server 3.4.4 before 3.4.7 allows rem ...) - pdns 3.4.7-1 [jessie] - pdns (Only 3.4.4 and later affected) [wheezy] - pdns (Only 3.4.4 and later affected) [squeeze] - pdns (Only 3.4.4 and later affected) - pdns-recursor (recursor not affected) NOTE: https://www.openwall.com/lists/oss-security/2015/11/09/3 CVE-2015-5310 (The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not prop ...) {DSA-3397-1} - wpa 2.3-2.3 (bug #804707) [wheezy] - wpa (v2.0-v2.5 with CONFIG_WNM=y) - wpasupplicant (v2.0-v2.5 with CONFIG_WNM=y) - hostapd (v2.0-v2.5 with CONFIG_WNM=y) NOTE: http://w1.fi/security/2015-6/ NOTE: https://w1.fi/security/2015-6/0001-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch NOTE: https://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt CVE-2015-5309 (Integer overflow in the terminal emulator in PuTTY before 0.66 allows ...) {DSA-3409-1 DLA-347-1} - putty 0.66-1 NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=6056396f77cafc7e40da4d09f1d6212408dcb065 CVE-2015-5308 (Multiple SQL injection vulnerabilities in cs_admin_users.php in the wp ...) NOT-FOR-US: wp-championship plugin for WordPress CVE-2015-5307 (The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x thr ...) {DSA-3454-1 DSA-3414-1 DSA-3396-1 DLA-479-1} - linux 4.2.6-1 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-156.html - virtualbox 5.0.10-dfsg-1 [wheezy] - virtualbox (DSA 3454) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixOVIR CVE-2015-5306 (OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), ...) - ironic-inspector 3.2.0-1 NOTE: https://bugs.launchpad.net/ironic-inspector/+bug/1506419 CVE-2015-5305 (Directory traversal vulnerability in Kubernetes, as used in Red Hat Op ...) - kubernetes (Fixed before the initial release in Debian, 1.2.0) NOTE: https://github.com/kubernetes/kubernetes/pull/15975 CVE-2015-5304 (Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does ...) NOT-FOR-US: Red Hat JBoss Enterprise Application Platform CVE-2015-5303 (The TripleO Heat templates (tripleo-heat-templates), when deployed via ...) - tripleo-heat-templates 5.2.0-1 (bug #851396) CVE-2015-5302 (libreport 2.0.7 before 2.6.3 only saves changes to the first file when ...) NOT-FOR-US: abrt/libreport CVE-2015-5301 (providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsi ...) - ipsilon (bug #826838) CVE-2015-5300 (The panic_gate check in NTP before 4.2.8p5 is only re-enabled after th ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-2 NOTE: https://www.cs.bu.edu/~goldbe/NTPattack.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1271076 CVE-2015-5299 (The shadow_copy2_get_shadow_copy_data function in modules/vfs_shadow_c ...) {DSA-3433-1 DLA-379-1} - samba 2:4.1.22+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-5299.html CVE-2015-5298 [Google Login Plugin for Jenkins authentication bypass] RESERVED NOT-FOR-US: Plugin not packaged in Debian NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-10-12 CVE-2015-5297 (An integer overflow issue has been reported in the general_composite_r ...) {DLA-1587-1} - pixman 0.33.4-1 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=92027 NOTE: Patch: https://cgit.freedesktop.org/pixman/patch/?id=204fcd24d9b7e3988b7496e723014f327828751a CVE-2015-5296 (Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before ...) {DSA-3433-1 DLA-379-1} - samba 2:4.1.22+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-5296.html CVE-2015-5295 (The template-validate command in OpenStack Orchestration API (Heat) be ...) - heat 1:6.0.0~rc3-1 [jessie] - heat (Minor issue) NOTE: Affects: <=2015.1.2, ==5.0.0 CVE-2015-5294 REJECTED CVE-2015-5293 (Red Hat Enterprise Virtualization Manager 3.6 and earlier gives valid ...) NOT-FOR-US: RHEV CVE-2015-5292 (Memory leak in the Privilege Attribute Certificate (PAC) responder plu ...) - sssd 1.13.1-1 [jessie] - sssd (Minor issue; responder not built) NOTE: binary package has the sssd_pac_plugin.so but the responder NOTE: part is not build. [wheezy] - sssd (vulnerable code not present) [squeeze] - sssd (vulnerable code not present) NOTE: https://fedorahosted.org/sssd/ticket/2803 NOTE: https://fedorahosted.org/sssd/attachment/ticket/2803/0001-Fix-memory-leak-in-sssdpac_verify.patch CVE-2015-5291 (Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed ...) {DSA-3468-1 DLA-331-1} - mbedtls (Fixed before the initial release to Debian) [experimental] - polarssl 1.3.14-0.1 - polarssl (bug #801413) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01 CVE-2015-5290 (A Denial of Service vulnerability exists in ircd-ratbox 3.0.9 in the M ...) - charybdis 3.4.2-5 [jessie] - charybdis 3.4.2-5~deb8u1 [wheezy] - charybdis (Minor issue) - ircd-ratbox (bug #805065) [jessie] - ircd-ratbox (Minor issue) [wheezy] - ircd-ratbox (Minor issue) [squeeze] - ircd-ratbox (Slow leak; workaround is available) NOTE: http://elemental-ircd.com/security/e50b0d59-f3c5-4472-a3cd-e2e07731417c/ CVE-2015-5289 (Multiple stack-based buffer overflows in json parsing in PostgreSQL be ...) {DSA-3374-1} - postgresql-9.4 9.4.5-1 - postgresql-9.1 (no json datatype) - postgresql-8.4 (no json datatype) CVE-2015-5288 (The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9. ...) {DSA-3475-1 DSA-3374-1 DLA-329-1} - postgresql-9.4 9.4.5-1 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream) [squeeze] - postgresql-8.4 (minor issue) CVE-2015-5287 (The abrt-hook-ccpp help program in Automatic Bug Reporting Tool (ABRT) ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-5286 (OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x b ...) - glance 1:11.0.0-1 (bug #800741) [jessie] - glance (Vulnerable code not present) [wheezy] - glance (Vulnerable code not present) NOTE: jessie: According to confirmation via upstream the fix for CVE-2014-9623 NOTE: was complete here so CVE-2015-5286 not affecting jessie. NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1 CVE-2015-5285 (CRLF injection vulnerability in Kallithea before 0.3 allows remote att ...) - kallithea (bug #689573) CVE-2015-5284 (ipa-kra-install in FreeIPA before 4.2.2 puts the CA agent certificate ...) - freeipa (Introduced in 4.2) NOTE: https://fedorahosted.org/freeipa/ticket/5347 NOTE: Upstream commit: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=55a66ccba3e2181a50e7733b7476991975b7455f CVE-2015-5283 (The sctp_init function in net/sctp/protocol.c in the Linux kernel befo ...) - linux 4.2.1-2 [jessie] - linux 3.16.7-ckt11-1+deb8u5 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8e2d61e0aed2b7c4ecb35844fe07e0b2b762dee4 (v4.3-rc3) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4db67e808640e3934d82ce61ee8e2e89fd877ba8 (v3.7-rc1) CVE-2015-5282 (Cross-site scripting (XSS) vulnerability in Foreman 1.7.0 and after. ...) - foreman (bug #663101) CVE-2015-5281 (The grub2 package before 2.02-0.29 in Red Hat Enterprise Linux (RHEL) ...) - grub2 (SecureBoot not yet supported) CVE-2015-5280 REJECTED CVE-2015-5279 (Heap-based buffer overflow in the ne2000_receive function in hw/net/ne ...) {DSA-3362-1 DSA-3361-1} - qemu 1:2.4+dfsg-3 (bug #799074) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03984.html CVE-2015-5278 (The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 ...) {DSA-3362-1 DSA-3361-1} - qemu 1:2.4+dfsg-3 (bug #799073) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Fix: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03985.html NOTE: Possibly introduced around http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0ae045ae439ad83692ad039a554f7d62acf9de5c (v0.9.1) CVE-2015-5277 (The get_contents function in nss_files/files-XXX.c in the Name Service ...) - glibc 2.21-1 (bug #799966) [jessie] - glibc 2.19-18+deb8u2 - eglibc [wheezy] - eglibc (Vulnerable code not present) [squeeze] - eglibc (Vulnerable code not present) CVE-2015-5276 (The std::random_device class in libstdc++ in the GNU Compiler Collecti ...) - gcc-5 5.3.0-1 - gcc-4.9 4.9.3-5 [jessie] - gcc-4.9 (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65142 NOTE: Upstream commit: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=227687 CVE-2015-5275 REJECTED CVE-2015-5274 (rubygem-openshift-origin-console in Red Hat OpenShift 2.2 allows remot ...) NOT-FOR-US: OpenShift CVE-2015-5273 (The abrt-action-install-debuginfo-to-abrt-cache help program in Automa ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-5272 (The Forum module in Moodle 2.7.x before 2.7.10 allows remote authentic ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50576 CVE-2015-5271 (The TripleO Heat templates (tripleo-heat-templates) do not properly or ...) - tripleo-heat-templates (Vulnerability introduced later) NOTE: Fixed by: https://github.com/openstack/tripleo-heat-templates/commit/1730d95acdbee7c7bbcfe1eba8a48ef2b0cc1476 NOTE: Introduced by: https://github.com/openstack/tripleo-heat-templates/commit/65d64b6a52366f36955e5e48a29f4ef0ca2ff973 (0.8.2) [Puppet: Swift Overcloud Proxy/Storage support] NOTE: https://bugs.launchpad.net/tripleo/+bug/1494896 CVE-2015-5270 REJECTED CVE-2015-5269 (Cross-site scripting (XSS) vulnerability in group/overview.php in Mood ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50709 CVE-2015-5268 (The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2. ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50173 CVE-2015-5267 (lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860 CVE-2015-5266 (The enrol_meta_sync function in enrol/meta/locallib.php in Moodle thro ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744 CVE-2015-5265 (The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8. ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48371 CVE-2015-5264 (The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50516 CVE-2015-5263 (pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's T ...) NOT-FOR-US: Pulp (Red Hat) CVE-2015-5262 (http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents ...) {DLA-322-1} - httpcomponents-client 4.3.6-1 (low) [jessie] - httpcomponents-client (Minor issue) [squeeze] - httpcomponents-client (Regression introduced in 4.3.0) [wheezy] - httpcomponents-client (Regression introduced in 4.3.0) - commons-httpclient 3.1-12 (bug #798650) [jessie] - commons-httpclient 3.1-11+deb8u1 [wheezy] - commons-httpclient 3.1-10.2+deb7u2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1261538 NOTE: https://issues.apache.org/jira/browse/HTTPCLIENT-1478 says it's really fixed in 4.3.6 and that 4.2.x did not have this bug. NOTE: Proposed patch for commons-httpclient: https://bugzilla.redhat.com/show_bug.cgi?id=1259892 NOTE: Checked that both 4.0.1 (in Squeeze) and 4.1.1 (in Wheezy) have the call to set the timout before the SSL connection is opened. NOTE: Jessie's 4.3.5-2 is however missing the upstream patch: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java?r1=1560975&r2=1626784 CVE-2015-5261 (Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS user ...) {DSA-3371-1} - spice 0.12.5-1.3 (bug #801091) CVE-2015-5260 (Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS user ...) {DSA-3371-1} - spice 0.12.5-1.3 (bug #801089) CVE-2015-5259 (Integer overflow in the read_string function in libsvn_ra_svn/marshal. ...) - subversion 1.9.3-1 [jessie] - subversion (Only affects 1.9.0 through 1.9.2 (inclusive)) [wheezy] - subversion (Only affects 1.9.0 through 1.9.2 (inclusive)) [squeeze] - subversion (Only affects 1.9.0 through 1.9.2 (inclusive)) NOTE: https://subversion.apache.org/security/CVE-2015-5259-advisory.txt CVE-2015-5258 (Cross-site request forgery (CSRF) vulnerability in springframework-soc ...) NOT-FOR-US: springframework-social CVE-2015-5257 (drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows ...) {DSA-3372-1 DLA-325-1} - linux 4.2.1-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cbb4be652d374f64661137756b8f357a1827d6a4 (v4.3-rc3) CVE-2015-5256 (Apache Cordova-Android before 4.1.0, when an application relies on a r ...) NOT-FOR-US: Apache Cordova CVE-2015-5255 (Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before ...) NOT-FOR-US: Adobe CVE-2015-5254 (Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that c ...) {DSA-3524-1} - activemq 5.13.2+dfsg-1 (bug #809733) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=6f03921b31d9fefeddb0f4fa63150ed1f94a14b1 (5.11.x) NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=73a0caf758f9e4916783a205c7e422b4db27905c (5.11.x) NOTE: Patch applied to Fedora (5.6.0 based version): http://pkgs.fedoraproject.org/cgit/activemq.git/diff/activemq-5.6.0-CVE-2015-5254.patch?id=e3ef8a1b62d10273a814090be9168aa3019ace72 NOTE: https://issues.apache.org/jira/browse/AMQ-6013 CVE-2015-5253 (The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0. ...) NOT-FOR-US: Apache CXF CVE-2015-5252 (vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, ...) {DSA-3433-1 DLA-379-1} - samba 2:4.1.22+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-5252.html CVE-2015-5251 (OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x b ...) - glance 1:11.0.0-1 (bug #799931) [jessie] - glance 2014.1.3-12+deb8u1 [wheezy] - glance (Minor issue) NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1 CVE-2015-5250 (The API server in OpenShift Origin 1.0.5 allows remote attackers to ca ...) NOT-FOR-US: OpenShift CVE-2015-5249 REJECTED CVE-2015-5248 (Reflected file download vulnerability in Red Hat Feedhenry Enterprise ...) NOT-FOR-US: Red Hat Mobile CVE-2015-5247 (The virStorageVolCreateXML API in libvirt 1.2.14 through 1.2.19 allows ...) - libvirt 1.2.20-1 (bug #799132) [jessie] - libvirt (Vulnerable code introduced later) [wheezy] - libvirt (Vulnerable code introduced later) [squeeze] - libvirt (Vulnerable code introduced later) NOTE: http://security.libvirt.org/2015/0003.html NOTE: Broken by https://libvirt.org/git/?p=libvirt.git;a=commit;h=155ca616eb231181f6978efc9e3a1eb0eb60af8a (v1.2.14-rc1) NOTE: and by https://libvirt.org/git/?p=libvirt.git;a=commit;h=7c2d65dde2595c07d56aad1e043f7b1836592d89 (v1.2.16-rc1) CVE-2015-5246 (The LDAP Authentication functionality in Foreman might allow remote at ...) - foreman (bug #663101) CVE-2015-5245 (CRLF injection vulnerability in the Ceph Object Gateway (aka radosgw o ...) [experimental] - ceph 0.94.3-1 - ceph 0.80.10-1 (bug #798567) [jessie] - ceph 0.80.7-2+deb8u1 NOTE: http://tracker.ceph.com/issues/12537 NOTE: https://github.com/ceph/ceph/pull/5430 CVE-2015-5244 (The NSSCipherSuite option with ciphersuites enabled in mod_nss before ...) - libapache2-mod-nss 1.0.12-1 (bug #799464) [jessie] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) [wheezy] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) NOTE: Introduced in https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=2d1650900f4d47dc43400d826c0f7e1a7c5229b8 (1.0.11) NOTE: Fixed by https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=34e1ccecb4a7d5054dba2f92b403af9b6ae1e110 (1.0.12) CVE-2015-5243 (phpWhois allows remote attackers to execute arbitrary code via a craft ...) NOT-FOR-US: phpWhois CVE-2015-5242 (OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict u ...) NOT-FOR-US: swiftonfile CVE-2015-5241 (After logging into the portal, the logout jsp page redirects the brows ...) NOT-FOR-US: Apache jUDDI CVE-2015-5240 (Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before ...) - neutron 1:7.0.0-1 [jessie] - neutron (Minor issue) NOTE: versions through 2014.2.3 and 2015.1 versions through 2015.1.1 CVE-2015-5239 (Integer overflow in the VNC display driver in QEMU before 2.1.0 allows ...) {DLA-574-1 DLA-573-1} - qemu 2.1+dfsg-1 [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Upstream fix: http://git.qemu.org/?p=qemu.git;a=commit;h=f9a70e79391f6d7c2a912d785239ee8effc1922d (v2.1.0-rc0) CVE-2015-5238 REJECTED CVE-2015-5237 (protobuf allows remote authenticated attackers to cause a heap-based b ...) - protobuf (unimportant) NOTE: https://github.com/google/protobuf/issues/760 NOTE: Upstream doesn't consider this a real issue in practice. CVE-2015-5236 RESERVED - icedtea-web (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1256403 NOTE: Negligible impact CVE-2015-5235 (IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly dete ...) - icedtea-web 1.6.1-1 (bug #798467) [jessie] - icedtea-web 1.5.3-1 [wheezy] - icedtea-web (Minor issue) CVE-2015-5234 (IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sani ...) - icedtea-web 1.6.1-1 (bug #798467) [jessie] - icedtea-web 1.5.3-1 [wheezy] - icedtea-web (Minor issue) CVE-2015-5233 (Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view ...) - foreman (bug #663101) CVE-2015-5232 (Race conditions in opa-fm before 10.4.0.0.196 and opa-ff before 10.4.0 ...) NOT-FOR-US: OPA Fabric Manager and OPA tools and Fast Fabric CVE-2015-5231 (The service daemon in CRIU does not properly restrict access to non-du ...) - criu 1.8-2 (bug #797110) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1256728 CVE-2015-5230 (The DNS packet parsing/generation code in PowerDNS (aka pdns) Authorit ...) {DSA-3347-1} - pdns 3.4.6-1 [wheezy] - pdns (Only affects 3.4.0-3.4.5) [squeeze] - pdns (Only affects 3.4.0-3.4.5) NOTE: https://downloads.powerdns.com/patches/2015-02/ CVE-2015-5229 (The calloc function in the glibc package in Red Hat Enterprise Linux ( ...) - glibc (RHEL-specific backport) - eglibc (RHEL-specific backport) CVE-2015-5228 (The service daemon in CRIU creates log and dump files insecurely, whic ...) - criu 1.8-2 (bug #797111) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1255782 CVE-2015-5227 (The Landing Pages plugin before 1.9.2 for WordPress allows remote atta ...) NOT-FOR-US: Landing Pages plugin for WordPress CVE-2015-5226 REJECTED CVE-2015-5225 (Buffer overflow in the vnc_refresh_server_surface function in the VNC ...) {DSA-3348-1} - qemu 1:2.4+dfsg-1a (bug #796465) [wheezy] - qemu (Vulnerable code introduced in 2.1.0) [squeeze] - qemu (Vulnerable code introduced in 2.1.0) - qemu-kvm (Vulnerable code introduced in 2.1.0) NOTE: Fix: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg02495.html NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=bea60dd7679364493a0d7f5b (v2.1.0-rc0) CVE-2015-5224 (The mkostemp function in login-utils in util-linux when used incorrect ...) [experimental] - util-linux 2.27~rc2-2 - util-linux 2.27-1 (unimportant) NOTE: chfn/chsh not built in util-linux in Debian (--disable-chfn-chsh) NOTE: https://github.com/karelzak/util-linux/commit/bde91c85bdc77975155058276f99d2e0f5eab5a9 (v2.27-rc2) CVE-2015-5223 (OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obta ...) - swift 2.4.0-1 (bug #797032) [jessie] - swift 2.2.0-1+deb8u1 [wheezy] - swift (Minor issue) CVE-2015-5222 (Red Hat OpenShift Enterprise 3.0.0.0 does not properly check permissio ...) NOT-FOR-US: OpenShift CVE-2015-5221 (Use-after-free vulnerability in the mif_process_cmpt function in libja ...) {DLA-1583-1} - jasper (bug #796253) [wheezy] - jasper (Minor issue) [squeeze] - jasper (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/08/20/4 NOTE: Fixed by https://github.com/mdadams/jasper/commit/df5d2867e8004e51e18b89865bc4aa69229227b3 CVE-2015-5220 (The Web Console in Red Hat Enterprise Application Platform (EAP) befor ...) NOT-FOR-US: JBoss EAP CVE-2015-5219 (The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not proper ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p3+dfsg-1 (low) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) [squeeze] - ntp (Minor issue) NOTE: https://github.com/ntp-project/ntp/commit/5f295cd05c3c136d39f5b3e500a2d781bdbb59c8 CVE-2015-5218 (Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before ...) - util-linux 2.27-1 (unimportant; bug #798067) NOTE: https://www.spinics.net/lists/util-linux-ng/msg11873.html CVE-2015-5217 (providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsi ...) - ipsilon (bug #826838) CVE-2015-5216 (The Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does ...) - ipsilon (bug #826838) CVE-2015-5215 (** DISPUTED ** The default configuration of the Jinja templating engin ...) - ipsilon (bug #826838) CVE-2015-5214 (LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice be ...) {DSA-3394-1} - libreoffice 1:5.0.1~rc2-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2015-5214/ CVE-2015-5213 (Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice bef ...) {DSA-3394-1} - libreoffice 1:5.0.1~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2015-5213/ CVE-2015-5212 (Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice be ...) {DSA-3394-1} - libreoffice 1:5.0.1~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2015-5212/ CVE-2015-5211 (Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4 ...) {DLA-1853-1} - libspring-java 4.1.9-1 [wheezy] - libspring-java (Minor issue) NOTE: https://jira.spring.io/browse/SPR-13548 NOTE: https://github.com/spring-projects/spring-framework/commit/2bd1da NOTE: https://github.com/spring-projects/spring-framework/commit/a95c3d NOTE: https://github.com/spring-projects/spring-framework/commit/03f547 NOTE: https://pivotal.io/security/cve-2015-5211 CVE-2015-5210 (Open redirect vulnerability in Apache Ambari before 2.1.2 allows remot ...) NOT-FOR-US: Apache Ambari CVE-2015-5209 (Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulat ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (Only affects versions >= 2.x) NOTE: https://struts.apache.org/docs/s2-026.html CVE-2015-5208 (Apache Cordova iOS before 4.0.0 allows remote attackers to execute arb ...) NOT-FOR-US: Apache Cordova CVE-2015-5207 (Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL ...) NOT-FOR-US: Apache Cordova CVE-2015-5206 (Unspecified vulnerability in the HTTP/2 experimental feature in Apache ...) - trafficserver 6.0.0-1 [wheezy] - trafficserver (Vulnerable code not present) CVE-2015-5205 REJECTED CVE-2015-5204 (CRLF injection vulnerability in the Apache Cordova File Transfer Plugi ...) NOT-FOR-US: Apache Cordova Android File Transfer Plugin CVE-2015-5203 (Double free vulnerability in the jasper_image_stop_load function in Ja ...) {DLA-1583-1} - jasper (bug #796107) [wheezy] - jasper (Minor issue) [squeeze] - jasper (Minor issue) NOTE: Analysis/More information/Fixing commits: https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c11 CVE-2015-5202 REJECTED CVE-2015-5201 (VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka ...) NOT-FOR-US: Red Hat vdms CVE-2015-5200 (The trace functionality in libvdpau before 1.1.1, when used in a setui ...) {DSA-3355-1 DLA-306-1} - libvdpau 1.1.1-1 (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5199 (Directory traversal vulnerability in dlopen in libvdpau before 1.1.1 a ...) {DSA-3355-1 DLA-306-1} - libvdpau 1.1.1-1 (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5198 (libvdpau before 1.1.1, when used in a setuid or setgid application, al ...) {DSA-3355-1 DLA-306-1} - libvdpau 1.1.1-1 (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5197 REJECTED CVE-2015-5196 REJECTED CVE-2015-5195 (ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p3+dfsg-1 (low) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) [squeeze] - ntp (Minor issue) NOTE: https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be CVE-2015-5194 (The log_config_command function in ntp_parser.y in ntpd in NTP before ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p3+dfsg-1 (low) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) [squeeze] - ntp (Minor issue) NOTE: https://github.com/ntp-project/ntp/commit/553f2fa65865c31c5e3c48812cfd46176cffdd27 NOTE: Fixed in 4.2.7p42 CVE-2015-5193 REJECTED CVE-2015-5192 REJECTED CVE-2015-5191 (VMware Tools prior to 10.0.9 contains multiple file system races in li ...) - open-vm-tools 2:10.1.5-5055683-5 (low; bug #869633) [stretch] - open-vm-tools 2:10.1.5-5055683-4+deb9u1 [jessie] - open-vm-tools (Vulnerable code not present) [wheezy] - open-vm-tools (Vulnerable code not present) NOTE: 9.10.x: https://github.com/vmware/open-vm-tools/commit/c1304ce8bfd9c0c33999e496bf7049d5c3d45821 NOTE: 10.0.x: https://github.com/vmware/open-vm-tools/commit/b3068b04880eda4ca3e13f2d34fb8ce336ad1a4f NOTE: 10.1.x: https://github.com/vmware/open-vm-tools/commit/22e58289f71232310d30cf162b83b5151a937bac CVE-2015-5190 (The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated ...) - pcs (Fixed before initial release to Debian) NOTE: https://github.com/feist/pcs/commit/634f6d93e4091946441f366e29859ed64a2c977a (0.9.144) CVE-2015-5189 (Race condition in pcsd in PCS 0.9.139 and earlier uses a global variab ...) - pcs (Fixed before the initial release in Debian) NOTE: Patch in Fedora: http://pkgs.fedoraproject.org/cgit/rpms/pcs.git/plain/fixed-session-and-cookies-processing.patch?h=f22&id=c4b5ad398cb011cdf31374d37943b6593411ae65 NOTE: Patch in CentOS 7 corresponding to RHSA-2015:1700: https://git.centos.org/blob/rpms!pcs/bafb6400d552c4d9e9cb46ddbe523e8f47e0de63/SOURCES!bz1253289-fixed-session-and-cookies-processing.patch CVE-2015-5188 (Cross-site request forgery (CSRF) vulnerability in the Web Console (we ...) NOT-FOR-US: JBoss EAP CVE-2015-5187 (Candlepin allows remote attackers to obtain sensitive information by o ...) NOT-FOR-US: candlepin / subscription-manager CVE-2015-5186 (Audit before 2.4.4 in Linux does not sanitize escape characters in fil ...) - audit 1:2.4.4-1 (unimportant; bug #795457) NOTE: Hardening, not a vulnerability. This is treated as a vulnerability in terminal emulators NOTE: https://fedorahosted.org/audit/changeset/1122 CVE-2015-5185 (The lookupProviders function in providerMgr.c in sblim-sfcb 1.3.4 and ...) - sblim-sfcb (bug #754493) CVE-2015-5184 (Console: CORS headers set to allow all in Red Hat AMQ. ...) NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5183 (Console: HTTPOnly and Secure attributes not set on cookies in Red Hat ...) NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5182 (Cross-site request forgery (CSRF) vulnerability in the jolokia API in ...) NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5181 (The JBoss console in A-MQ allows remote attackers to execute arbitrary ...) NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5180 (res_query in libresolv in glibc before 2.25 allows remote attackers to ...) - glibc 2.24-9 (low; bug #796106) [jessie] - glibc (Minor issue, too intrusive to backport) - eglibc (low) [wheezy] - eglibc (Minor issue) [squeeze] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18784 NOTE: Originally proposed for jessie 8.8, but breaks the NSS ABI so was retracted CVE-2015-5179 (FreeIPA might display user data improperly via vectors involving non-p ...) - freeipa (unimportant; bug #795399) NOTE: https://fedorahosted.org/freeipa/ticket/5153 NOTE: Negligible security impact CVE-2015-5178 (The Management Console in Red Hat Enterprise Application Platform befo ...) NOT-FOR-US: JBoss EAP CVE-2015-5177 (Double free vulnerability in the SLPDKnownDAAdd function in slpd/slpd_ ...) {DSA-3353-1 DLA-304-1} - openslp-dfsg 1.2.1-11 (bug #795429) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5177 CVE-2015-5176 (The PortletRequestDispatcher in PortletBridge, as used in Red Hat JBos ...) NOT-FOR-US: PortletBridge component in JBoss Portal CVE-2015-5175 (Application plugins in Apache CXF Fediz before 1.1.3 and 1.2.x before ...) NOT-FOR-US: Apache CXF Fediz CVE-2015-5174 (Directory traversal vulnerability in RequestUtil.java in Apache Tomcat ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1} - tomcat8 8.0.28-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.65, 8.0.27 CVE-2015-5173 (Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Piv ...) NOT-FOR-US: Cloud Foundry Runtime cf-release CVE-2015-5172 (Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Piv ...) NOT-FOR-US: Cloud Foundry Runtime cf-release CVE-2015-5171 (The password change functionality in Cloud Foundry Runtime cf-release ...) NOT-FOR-US: Cloud Foundry Runtime cf-release CVE-2015-5170 (Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Piv ...) NOT-FOR-US: Cloud Foundry Runtime cf-release CVE-2015-5169 (Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.2 ...) - libstruts1.2-java (Affects 2.0.0 - 2.3.16.3) CVE-2015-5168 (Unspecified vulnerability in the HTTP/2 experimental feature in Apache ...) - trafficserver 6.0.0-1 [wheezy] - trafficserver (Vulnerable code not present) CVE-2015-5167 (The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote auth ...) NOT-FOR-US: Apache Ranger CVE-2015-5166 (Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not ...) - qemu 1:2.4+dfsg-1a (bug #794611) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code not present) [squeeze] - xen (Vulnerable code not present) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: pci_piix3_xen_ide_unplug introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=679f4f8b178e7c66fbc2f39c905374ee8663d5d8 (v1.0-rc0) NOTE: BlockDriverState converted to BlockBackend in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4be746345f13e99e468c60acbd3a355e8183e3ce (v2.2.0-rc0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=6cd387833d05e8ad31829d97e474dc420625aed9 (v2.4.0-rc4) NOTE: http://xenbits.xen.org/xsa/advisory-139.html CVE-2015-5165 (The C+ mode offload emulation in the RTL8139 network card device model ...) {DSA-3349-1 DSA-3348-1 DLA-479-1} - qemu 1:2.4+dfsg-1a (bug #794610) [wheezy] - qemu 1.1.2+dfsg-6a+deb7u9 [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) - xen 4.4.0-1 [wheezy] - xen (Too intrusive to backport) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-140.html NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=39b8e7dcaf04cbdb926b478f825b160d852752b5 NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d6812d60e7932de3cd0f602c0ee63dd3d09f1847 NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e1c120a9c54872f8a538ff9129d928de4e865cbd NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=03247d43c577dfea8181cd40177ad5ba77c8db76 NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=c6296ea88df040054ccd781f3945fe103f8c7c17 NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4240be45632db7831129f124bcf53c1223825b0f NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=8357946b15f0a31f73dd691b7da95f29318ed310 CVE-2015-5164 (The Qpid server on Red Hat Satellite 6 does not properly restrict mess ...) NOT-FOR-US: Qpid server on Satellite6 CVE-2015-5163 (The import task action in OpenStack Image Service (Glance) 2015.1.x be ...) - glance 2015.1.0-4 (bug #795453) [jessie] - glance (Affects Glance 2015.1 versions trough 2015.1.1) [wheezy] - glance (Affects Glance 2015.1 versions trough 2015.1.1) CVE-2015-5162 (The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Gl ...) - cinder 2:8.0.0-1 [jessie] - cinder (Minor issue) - glance 2:12.0.0-1 (low) [jessie] - glance (Minor issue) [wheezy] - glance (not supported in Wheezy) - nova 2:13.0.0-1 (low) [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: Patches: https://www.openwall.com/lists/oss-security/2016/10/06/8 CVE-2015-5161 (The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework ...) {DSA-3340-1 DLA-302-1} - zendframework 1.12.14+dfsg-1 - php-zend-xml 1.0.1-1 NOTE: http://framework.zend.com/security/advisory/ZF2015-06 NOTE: Root issue already fixed in PHP 5.6.6, so this one is not relevant starting with Jessie CVE-2015-5160 (libvirt before 2.2 includes Ceph credentials on the qemu command line ...) - libvirt 2.2.0-1 (low; bug #796111) [jessie] - libvirt (Minor issue; needs changes first in QEMU) [wheezy] - libvirt (Minor issue; needs changes first in QEMU) [squeeze] - libvirt (Unsupported in squeeze-lts) NOTE: libvirt side fixed with: http://libvirt.org/git/?p=libvirt.git;a=commit;h=d53d465083edeb64cc7b78249c030734c0d91c6b NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=a1344f70a128921e7fe7213da7c1afbc962fba9c NOTE: and needs at least Qemu 2.6, which is satisfied in Stretch and later. NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1182074 (not yet opened) NOTE: https://www.redhat.com/archives/libvir-list/2011-November/msg00853.html NOTE: Needs changes in QEMU for passing passwords. Affects at least iSCSI and rbd/ceph. CVE-2015-5159 (python-kdcproxy before 0.3.2 allows remote attackers to cause a denial ...) NOT-FOR-US: kdcproxy CVE-2015-5158 (Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built ...) - qemu 1:2.4+dfsg-1a (bug #793388) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2015-07/msg04558.html NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=1894df02811f6b79ea3ffbf1084599d96f316173 (v2.2.0-rc0) CVE-2015-5157 (arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_ ...) {DSA-3313-1} - linux 4.0.8-2 [wheezy] - linux (Introduced in 3.3) - linux-2.6 (Introduced in 3.3) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a NOTE: Same fix as for CVE-2015-3290. CVE-2015-5156 (The virtnet_probe function in drivers/net/virtio_net.c in the Linux ke ...) {DSA-3364-1 DLA-310-1} - linux 4.1.5-1 - linux-2.6 NOTE: http://marc.info/?l=linux-netdev&m=143868216724068&w=2 CVE-2015-5155 REJECTED CVE-2015-5154 (Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xe ...) {DSA-3348-1} - qemu 1:2.4+dfsg-1a (bug #793811) [wheezy] - qemu (Vulnerable code not present, introduced in 1.3) [squeeze] - qemu (Vulnerable code not present, introduced in 1.3) - qemu-kvm (Vulnerable code not present, introduced in 1.3) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code not present, introduced in 4.2) [squeeze] - xen (Vulnerable code not present, introduced in 4.2) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-138.html NOTE: qemu patches: NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=d2ff85854512574e7209f295e87b0835d5b032c6 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=cb72cba83021fa42719e73a5249c12096a4d1cfc NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=03441c3a4a42beb25460dd11592539030337d0f8 NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ce560dcf20c14194db5ef3b9fc1ea592d4e68109 (v1.3.0-rc0) CVE-2015-5153 (Pulp does not remove permissions for named objects upon deletion, whic ...) NOT-FOR-US: Pulp (Red Hat) CVE-2015-5152 (Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests ...) - foreman (bug #663101) CVE-2015-5151 (Cross-site scripting (XSS) vulnerability in the Slider Revolution (rev ...) NOT-FOR-US: Slider Revolution (revslider) plugin for WordPress CVE-2015-5150 (Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngi ...) NOT-FOR-US: Zoho ManageEngine SupportCenter Plus CVE-2015-5149 (Directory traversal vulnerability in Zoho ManageEngine SupportCenter P ...) NOT-FOR-US: Zoho ManageEngine SupportCenter Plus CVE-2015-5148 (SQL injection vulnerability in LivelyCart 1.2.0 allows remote attacker ...) NOT-FOR-US: LivelyCart CVE-2015-5145 (validators.URLValidator in Django 1.8.x before 1.8.3 allows remote att ...) - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ CVE-2015-5144 (Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8 ...) {DSA-3305-1 DLA-272-1} - python-django 1.7.9-1 NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5144 has split out patches CVE-2015-5143 (The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7 ...) {DSA-3305-1 DLA-272-1} - python-django 1.7.9-1 NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ CVE-2015-5142 RESERVED CVE-2015-5141 RESERVED CVE-2015-5140 RESERVED CVE-2015-5139 RESERVED CVE-2015-5138 RESERVED CVE-2015-5137 RESERVED CVE-2015-5136 RESERVED CVE-2015-5135 RESERVED CVE-2015-5134 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5133 (Buffer overflow in Adobe Flash Player before 18.0.0.232 on Windows and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5132 (Buffer overflow in Adobe Flash Player before 18.0.0.232 on Windows and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5131 (Buffer overflow in Adobe Flash Player before 18.0.0.232 on Windows and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5130 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5129 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.232 on ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5128 REJECTED CVE-2015-5127 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5126 REJECTED CVE-2015-5125 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5124 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5123 (Use-after-free vulnerability in the BitmapData class in the ActionScri ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5122 (Use-after-free vulnerability in the DisplayObject class in the ActionS ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5121 (Adobe Shockwave Player before 12.1.9.159 allows attackers to execute a ...) NOT-FOR-US: Shockwave CVE-2015-5120 (Adobe Shockwave Player before 12.1.9.159 allows attackers to execute a ...) NOT-FOR-US: Shockwave CVE-2015-5119 (Use-after-free vulnerability in the ByteArray class in the ActionScrip ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5118 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5117 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5116 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5115 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5114 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5113 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5112 REJECTED CVE-2015-5111 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5110 (Stack-based buffer overflow in Adobe Reader and Acrobat 10.x before 10 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5109 (Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5108 (Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5107 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5106 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5105 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5104 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5103 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5102 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5101 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5100 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5099 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5098 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5097 (Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5096 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5095 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5094 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5093 (Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 11 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5092 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5091 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5090 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5089 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5088 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5087 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5086 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5085 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5084 (The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite application ...) NOT-FOR-US: Siemens CVE-2015-5083 RESERVED CVE-2015-5082 (Endian Firewall before 3.0 allows remote attackers to execute arbitrar ...) NOT-FOR-US: Endian Firewall CVE-2015-5080 (The Management Interface in Citrix NetScaler Application Delivery Cont ...) NOT-FOR-US: Citrix CVE-2015-5079 (Directory traversal vulnerability in widgets/logs.php in BlackCat CMS ...) NOT-FOR-US: BlackCat CMS CVE-2015-5078 (SQL injection vulnerability in the insert function in application/cont ...) - limesurvey (bug #472802) CVE-2015-5077 RESERVED CVE-2015-5076 (Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM ...) NOT-FOR-US: X2Engine CVE-2015-5075 (Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM befo ...) NOT-FOR-US: X2Engine CVE-2015-5074 (Incomplete blacklist vulnerability in the FileUploadsFilter class in p ...) NOT-FOR-US: X2Engine CVE-2015-5072 (The BIRT Engine servlet in the AR System Mid Tier component before 9.0 ...) NOT-FOR-US: AR System Mid Tier CVE-2015-5071 (AR System Mid Tier in the AR System Mid Tier component before 9.0 SP1 ...) NOT-FOR-US: AR System Mid Tier CVE-2015-5146 (ntpd in ntp before 4.2.8p3 with remote configuration enabled allows re ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p3+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) [squeeze] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi CVE-2015-5352 (The x11_open_helper function in channels.c in ssh in OpenSSH before 6. ...) {DLA-1500-1 DLA-288-1} - openssh 1:6.9p1-1 (bug #790798) [wheezy] - openssh (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/07/01/7 NOTE: https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d CVE-2015-5147 (Stack-based buffer overflow in the header_anchor function in the HTML ...) - ruby-redcarpet (Affects v3.3.0 - v3.3.1) NOTE: https://github.com/vmg/redcarpet/commit/2cee777c1e5babe8a1e2683d31ea75cc4afe55fb NOTE: https://www.openwall.com/lists/oss-security/2015/06/29/3 CVE-2015-5081 (Cross-site request forgery (CSRF) vulnerability in django CMS before 3 ...) - python-django-cms (bug #516183) CVE-2015-5073 (Heap-based buffer overflow in the find_fixedlength function in pcre_co ...) - pcre3 2:8.35-7 (bug #790000) [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1651 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1571 (8.38) NOTE: Introduced in http://vcs.pcre.org/pcre?view=revision&revision=454 (8.00) NOTE: https://www.openwall.com/lists/oss-security/2015/06/26/1 CVE-2015-5068 (XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allow ...) NOT-FOR-US: SAP CVE-2015-5067 (The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetW ...) NOT-FOR-US: SAP CVE-2015-5066 (Multiple cross-site scripting (XSS) vulnerabilities in the MetalGenix ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-5065 (Absolute path traversal vulnerability in proxy.php in the google curre ...) NOT-FOR-US: Paypal Currency Converter Basic For WooCommerce plugin for WordPress CVE-2015-5064 (Multiple cross-site scripting (XSS) vulnerabilities in MySql Lite Admi ...) NOT-FOR-US: MySql Lite Administrator CVE-2015-5063 (Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CM ...) - silverstripe (bug #528461) CVE-2015-5062 (Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 ...) - silverstripe (bug #528461) CVE-2015-5061 (Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExp ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2015-5060 (Cross-site scripting (XSS) vulnerability in anchor-cms before 0.9-dev. ...) NOT-FOR-US: anchor-cms CVE-2015-5058 (Memory leak in the virtual server component in F5 Big-IP LTM, AAM, AFM ...) NOT-FOR-US: F5 BIG-IP CVE-2015-5056 RESERVED CVE-2015-5055 RESERVED CVE-2015-5054 (Open redirect vulnerability in Ellucian (formerly SunGard) Banner Stud ...) NOT-FOR-US: Ellucian (formerly SunGard) Banner Student CVE-2015-5053 (The host memory mapping path feature in the NVIDIA GPU graphics driver ...) - nvidia-graphics-drivers 352.41-1 [jessie] - nvidia-graphics-drivers (Only affects R352 and R346 Linux branches) [wheezy] - nvidia-graphics-drivers (Only affects R352 and R346 Linux branches) CVE-2015-5052 (SQL injection vulnerability in Sefrengo before 1.6.5 beta2. ...) NOT-FOR-US: Sefrengo CVE-2015-5051 (IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 and 7.6 before 7.6. ...) NOT-FOR-US: IBM CVE-2015-5050 (Cross-site request forgery (CSRF) vulnerability in IBM Emptoris Contra ...) NOT-FOR-US: IBM CVE-2015-5049 (SQL injection vulnerability in the API in IBM OpenPages GRC Platform 7 ...) NOT-FOR-US: IBM CVE-2015-5048 RESERVED CVE-2015-5047 RESERVED CVE-2015-5046 RESERVED CVE-2015-5045 (The Administration and Reporting tool in IBM Rational License Key Serv ...) NOT-FOR-US: IBM CVE-2015-5044 (The Flow Collector in IBM Security QRadar QFLOW 7.1.x before 7.1 MR2 P ...) NOT-FOR-US: IBM QRadar CVE-2015-5043 (diag in IBM Security Guardium 8.2 before p6015, 9.0 before p6015, 9.1, ...) NOT-FOR-US: IBM Security Guardium CVE-2015-5042 (IBM Emptoris Contract Management 9.5.0.x before 9.5.0.6 iFix15, 10.0.0 ...) NOT-FOR-US: IBM CVE-2015-5041 (The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R ...) NOT-FOR-US: IBM JDK CVE-2015-5040 (Buffer overflow in IBM Domino 8.5.1 through 8.5.3 before 8.5.3 FP6 IF1 ...) NOT-FOR-US: IBM Domino CVE-2015-5039 (The Remote Client and change management integrations in IBM Rational C ...) NOT-FOR-US: IBM CVE-2015-5038 (IBM Connections 3.x before 3.0.1.1 CR3, 4.0 before CR4, 4.5 before CR5 ...) NOT-FOR-US: IBM CVE-2015-5037 (Cross-site request forgery (CSRF) vulnerability in IBM Connections 3.x ...) NOT-FOR-US: IBM CVE-2015-5036 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.x before ...) NOT-FOR-US: IBM CVE-2015-5035 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.x before ...) NOT-FOR-US: IBM CVE-2015-5034 RESERVED CVE-2015-5033 RESERVED CVE-2015-5032 RESERVED CVE-2015-5031 RESERVED CVE-2015-5030 RESERVED CVE-2015-5029 RESERVED CVE-2015-5028 RESERVED CVE-2015-5027 RESERVED CVE-2015-5026 RESERVED CVE-2015-5025 RESERVED CVE-2015-5024 (IBM Emptoris Sourcing 10.0.2.0 before iFix6, 10.0.2.2 before iFix11, 1 ...) NOT-FOR-US: IBM CVE-2015-5023 (SQL injection vulnerability in IBM Curam Social Program Management 6.1 ...) NOT-FOR-US: IBM CVE-2015-5022 (IBM Multi-Enterprise Integration Gateway 1.x through 1.0.0.1 and B2B A ...) NOT-FOR-US: IBM CVE-2015-5021 (IBM InfoSphere Information Server 11.3 and 11.5 allows remote authenti ...) NOT-FOR-US: IBM CVE-2015-5020 (The Big SQL component in IBM InfoSphere BigInsights 3.0, 3.0.0.1, 3.0. ...) NOT-FOR-US: IBM CVE-2015-5019 (IBM Sterling Integrator 5.1 before 5010004_8 and Sterling B2B Integrat ...) NOT-FOR-US: IBM CVE-2015-5018 (IBM Security Access Manager for Web 7.0.0 before FP19 and 8.0 before 8 ...) NOT-FOR-US: IBM CVE-2015-5017 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-5016 (IBM Maximo Asset Management 7.1, 7.5, and 7.6; Maximo Asset Management ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2015-5015 (IBM WebSphere Commerce Enterprise 7.0.0.9 and 8.x before Feature Pack ...) NOT-FOR-US: IBM CVE-2015-5014 (IBM Cognos Disclosure Management (CDM) 10.1.x and 10.2.x before 10.2.4 ...) NOT-FOR-US: IBM CVE-2015-5013 (The IBM Security Access Manager appliance includes configuration files ...) NOT-FOR-US: IBM CVE-2015-5012 (The SSH implementation on IBM Security Access Manager for Web applianc ...) NOT-FOR-US: IBM CVE-2015-5011 (IBM WebSphere Message Broker 8 before 8.0.0.6 and Integration Bus 9 be ...) NOT-FOR-US: IBM CVE-2015-5010 (IBM Security Access Manager for Web 7.0 before 7.0.0 IF21, 8.0 before ...) NOT-FOR-US: IBM CVE-2015-5009 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 ...) NOT-FOR-US: IBM CVE-2015-5008 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 ...) NOT-FOR-US: IBM CVE-2015-5007 (Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Comme ...) NOT-FOR-US: IBM WebSphere CVE-2015-5006 (IBM Java Security Components in IBM SDK, Java Technology Edition 8 bef ...) NOT-FOR-US: IBM JDK CVE-2015-5005 (CSPOC in IBM PowerHA SystemMirror on AIX 6.1 and 7.1 allows remote aut ...) NOT-FOR-US: IBM CVE-2015-5004 (The Edge Component Caching Proxy in IBM WebSphere Application Server ( ...) NOT-FOR-US: IBM CVE-2015-5003 (The portal in IBM Tivoli Monitoring (ITM) 6.2.2 through FP9, 6.2.3 thr ...) NOT-FOR-US: IBM Tivoli Monitoring CVE-2015-5002 (Cross-site scripting (XSS) vulnerability in IBM Host On-Demand 11.0 th ...) NOT-FOR-US: IBM CVE-2015-5001 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-5000 RESERVED CVE-2015-4999 RESERVED CVE-2015-4998 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-4997 (IBM WebSphere Portal 8.5.0 before CF08 allows remote attackers to bypa ...) NOT-FOR-US: IBM CVE-2015-4996 (IBM Rational ClearQuest 7.1.x and 8.0.0.x before 8.0.0.17 and 8.0.1.x ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2015-4995 RESERVED CVE-2015-4994 (Buffer overflow in IBM Domino 8.5.1 through 8.5.3 before 8.5.3 FP6 IF1 ...) NOT-FOR-US: IBM CVE-2015-4993 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM WebSphere CVE-2015-4992 (IBM Sterling B2B Integrator 5.2 before 5020500_8 allows remote authent ...) NOT-FOR-US: IBM CVE-2015-4991 (IBM SPSS Modeler 14.2 through FP3 IF027, 15 through FP3 IF015, 16 thro ...) NOT-FOR-US: IBM CVE-2015-4990 (The portal in IBM Tealeaf Customer Experience before 8.7.1.8818, 8.8 b ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2015-4989 (The portal in IBM Tealeaf Customer Experience before 8.7.1.8814, 8.8 b ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2015-4988 (Directory traversal vulnerability in the replay server in IBM Tealeaf ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2015-4987 (The search and replay servers in IBM Tealeaf Customer Experience 8.0 t ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2015-4986 RESERVED CVE-2015-4985 RESERVED CVE-2015-4984 RESERVED CVE-2015-4983 RESERVED CVE-2015-4982 RESERVED CVE-2015-4981 (IBM General Parallel File System (GPFS) 3.5.x before 3.5.0.27 and 4.1. ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-4980 (Unspecified vulnerability in IBM WebSphere Commerce 7.0.0.6 through 7. ...) NOT-FOR-US: IBM WebSphere CVE-2015-4979 RESERVED CVE-2015-4978 RESERVED CVE-2015-4977 RESERVED CVE-2015-4976 RESERVED CVE-2015-4975 RESERVED CVE-2015-4974 (IBM General Parallel File System (GPFS) 3.5.x before 3.5.0.27 and 4.1. ...) NOT-FOR-US: IBM CVE-2015-4973 (Cross-site scripting (XSS) vulnerability in IBM Multi-Enterprise Integ ...) NOT-FOR-US: IBM CVE-2015-4972 RESERVED CVE-2015-4971 (Cross-site scripting (XSS) vulnerability in IBM Emptoris Strategic Sup ...) NOT-FOR-US: IBM CVE-2015-4970 RESERVED CVE-2015-4969 RESERVED CVE-2015-4968 REJECTED CVE-2015-4967 (SQL injection vulnerability in IBM Maximo Asset Management 7.1 through ...) NOT-FOR-US: IBM CVE-2015-4966 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.9 ...) NOT-FOR-US: IBM CVE-2015-4965 (maximouiweb/webmodule/webclient/utility/merlin.jsp in IBM Maximo Asset ...) NOT-FOR-US: IBM CVE-2015-4964 (IBM UrbanCode Deploy 6.0 and 6.0.1.x before 6.0.1.10, 6.1.1.x before 6 ...) NOT-FOR-US: IBM CVE-2015-4963 (IBM Security Access Manager for Web 7.x before 7.0.0.16 and 8.x before ...) NOT-FOR-US: IBM CVE-2015-4962 (Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Life ...) NOT-FOR-US: IBM CVE-2015-4961 (IBM Tealeaf Customer Experience 8.x before 8.7.1.8847 FP10, 8.8.x befo ...) NOT-FOR-US: IBM CVE-2015-4960 (IBM InfoSphere Master Data Management - Collaborative Edition 9.1, 10. ...) NOT-FOR-US: IBM InfoSphere Master Data Management CVE-2015-4959 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Ident ...) NOT-FOR-US: IBM Tivoli Federated Identity Manager CVE-2015-4958 (IBM InfoSphere Master Data Management - Collaborative Edition 9.1, 10. ...) NOT-FOR-US: IBM InfoSphere Master Data Management CVE-2015-4957 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Security ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-4956 (The Web UI in IBM Security QRadar SIEM 7.1.x before 7.1 MR2 Patch 12 a ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-4955 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM CVE-2015-4954 (IBM BigFix Remote Control before Interim Fix pack 9.1.2-TIV-IBRC912-IF ...) NOT-FOR-US: IBM CVE-2015-4953 (IBM BigFix Remote Control before Interim Fix pack 9.1.2-TIV-IBRC912-IF ...) NOT-FOR-US: IBM CVE-2015-4952 (The on-demand plugin in IBM Endpoint Manager for Remote Control 9.0.1 ...) NOT-FOR-US: IBM CVE-2015-4951 (Client Acceptor Daemon (CAD) in the client in IBM Spectrum Protect (fo ...) NOT-FOR-US: IBM Spectrum Protect CVE-2015-4950 (The mailbox-restore feature in IBM Tivoli Storage Manager for Mail: Da ...) NOT-FOR-US: IBM CVE-2015-4949 (IBM Tivoli Storage Manager for Databases: Data Protection for Microsof ...) NOT-FOR-US: IBM CVE-2015-4948 (netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre chan ...) NOT-FOR-US: IBM CVE-2015-4947 (Stack-based buffer overflow in the Administration Server in IBM HTTP S ...) NOT-FOR-US: IBM WebSphere CVE-2015-4946 (Rational LifeCycle Project Administration in Jazz Team Server in IBM R ...) NOT-FOR-US: IBM CVE-2015-4945 (Unspecified vulnerability in the IBM Maximo Anywhere application 7.5.1 ...) NOT-FOR-US: IBM CVE-2015-4944 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2015-4943 (IBM WebSphere MQ Light 1.x before 1.0.2 allows remote attackers to cau ...) NOT-FOR-US: IBM WebSphere CVE-2015-4942 (IBM WebSphere MQ Light 1.x before 1.0.2 allows remote attackers to cau ...) NOT-FOR-US: IBM WebSphere CVE-2015-4941 (IBM WebSphere MQ Light 1.x before 1.0.2 mishandles abbreviated TLS han ...) NOT-FOR-US: IBM WebSphere CVE-2015-4940 (Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x be ...) NOT-FOR-US: IBM CVE-2015-4939 (Cross-site scripting (XSS) vulnerability in IBM Emptoris Supplier Life ...) NOT-FOR-US: IBM CVE-2015-4938 (IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0 ...) NOT-FOR-US: IBM WebSphere CVE-2015-4937 RESERVED CVE-2015-4936 (Unspecified vulnerability in IBM WebSphere eXtreme Scale 8.6 through 8 ...) NOT-FOR-US: IBM CVE-2015-4935 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4934 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4933 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4932 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4931 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4930 (IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Pa ...) NOT-FOR-US: IBM QRadar SIEM CVE-2015-4929 (IBM License Metric Tool 9 before 9.2.1.0 and Endpoint Manager for Soft ...) NOT-FOR-US: IBM CVE-2015-4928 (Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x be ...) NOT-FOR-US: Apache Ambari CVE-2015-4927 (The Reporting and Monitoring component in Tivoli Monitoring in IBM Tiv ...) NOT-FOR-US: IBM CVE-2015-4926 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2015-4925 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4924 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4923 (Unspecified vulnerability in the XML Developer's Kit for C component i ...) NOT-FOR-US: Oracle CVE-2015-4922 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2015-4921 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2015-4920 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2015-4919 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle CVE-2015-4918 REJECTED CVE-2015-4917 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4916 (Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 all ...) - openjfx 8u91-b14-1 (bug #823622) CVE-2015-4915 (Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) ...) NOT-FOR-US: Oracle CVE-2015-4914 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-4913 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4912 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-4911 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Jav ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4910 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4909 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4908 (Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 all ...) - openjfx 8u91-b14-1 (bug #823622) CVE-2015-4907 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4906 (Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 all ...) - openjfx 8u91-b14-1 (bug #823622) CVE-2015-4905 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4904 (Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4903 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4902 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allo ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-4901 (Unspecified vulnerability in Oracle Java SE 8u60 allows remote attacke ...) - openjfx 8u91-b14-1 (bug #823622) CVE-2015-4900 (Unspecified vulnerability in the XDB - XML Database component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-4899 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2015-4898 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2015-4897 REJECTED CVE-2015-4896 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3384-1} - virtualbox 5.0.8-dfsg-1 - virtualbox-ose [squeeze] - virtualbox-ose (No longer supported in Squeeze LTS) CVE-2015-4895 (Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier al ...) {DSA-3385-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) - mariadb-10.0 10.0.21-3 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4894 (Unspecified vulnerability in the Mobile Server component in Oracle Dat ...) NOT-FOR-US: Oracle CVE-2015-4893 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Jav ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4892 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4891 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4890 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4889 REJECTED CVE-2015-4888 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2015-4887 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle CVE-2015-4886 (Unspecified vulnerability in the Oracle Report Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-4885 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-4884 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-4883 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4882 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4881 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4880 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle CVE-2015-4879 (Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.21-3 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4878 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-4877 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-4876 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-4875 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-4874 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-4873 (Unspecified vulnerability in the Database Scheduler component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-4872 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Jav ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4871 (Unspecified vulnerability in Oracle Java SE 7u85 allows remote attacke ...) {DSA-3401-1} - openjdk-7 7u91-2.6.3-1 CVE-2015-4870 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4869 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4868 (Unspecified vulnerability in Oracle Java SE 8u60 and Java SE Embedded ...) - openjdk-8 8u66-b17-1 CVE-2015-4867 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle CVE-2015-4866 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only affects MySQL 5.6) - mariadb-10.0 10.0.19-1 [jessie] - mariadb-10.0 10.0.20-0+deb8u1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html NOTE: MariaDB: fixed in 10.0.18 CVE-2015-4865 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2015-4864 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) - mysql-5.6 5.6.25-2 - mysql-5.5 [jessie] - mysql-5.5 5.5.44-0+deb8u1 [wheezy] - mysql-5.5 5.5.44-0+deb7u1 [squeeze] - mysql-5.5 5.5.46-0+deb6u1 CVE-2015-4863 (Unspecified vulnerability in the Portable Clusterware component in Ora ...) NOT-FOR-US: Oracle CVE-2015-4862 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4861 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4860 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4859 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-4858 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4857 (Unspecified vulnerability in the RDBMS component in Oracle Database Se ...) NOT-FOR-US: Oracle CVE-2015-4856 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 5.0.0-dfsg-1 [jessie] - virtualbox 4.3.30-dfsg-1+deb8u1 [wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1 - virtualbox-ose [squeeze] - virtualbox-ose (No longer supported in Squeeze LTS) CVE-2015-4855 REJECTED CVE-2015-4854 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-4853 REJECTED CVE-2015-4852 (The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2. ...) NOT-FOR-US: Oracle CVE-2015-4851 (Unspecified vulnerability in the Oracle iSupplier Portal component in ...) NOT-FOR-US: Oracle CVE-2015-4850 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle CVE-2015-4849 (Unspecified vulnerability in the Oracle Payments component in Oracle E ...) NOT-FOR-US: Oracle CVE-2015-4848 (Unspecified vulnerability in the Oracle Configurator component in Orac ...) NOT-FOR-US: Oracle CVE-2015-4847 (Unspecified vulnerability in the Oracle Configurator component in Orac ...) NOT-FOR-US: Oracle CVE-2015-4846 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle CVE-2015-4845 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-4844 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3725-1 DSA-3465-1 DSA-3381-1 DLA-545-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 - icu 57.1-1.1 NOTE: http://bugs.icu-project.org/trac/ticket/12020 NOTE: For ICU note that the original fix causes additional problems: NOTE: https://ssl.icu-project.org/trac/ticket/12020#comment:4 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1298906#c1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1273318 NOTE: see also CVE-2016-0494, introduced in through the fix for this CVE. NOTE: Upstream commit for OpenJDK: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/dbb4e2bdfa9e CVE-2015-4843 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4842 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4841 (Unspecified vulnerability in the Siebel Core - Server Framework compon ...) NOT-FOR-US: Oracle Siebel CRM CVE-2015-4840 (Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE ...) {DSA-3381-1} - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4839 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle CVE-2015-4838 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4837 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4836 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4835 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4834 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4833 (Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4832 (Unspecified vulnerability in the Oracle Identity Manager component in ...) NOT-FOR-US: Oracle CVE-2015-4831 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4830 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4829 REJECTED CVE-2015-4828 (Unspecified vulnerability in the PeopleSoft Enterprise FSCM component ...) NOT-FOR-US: Oracle CVE-2015-4827 (Unspecified vulnerability in the Oracle Retail Open Commerce Platform ...) NOT-FOR-US: Oracle CVE-2015-4826 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4825 (Unspecified vulnerability in the PeopleSoft Enterprise FIN Expenses co ...) NOT-FOR-US: Oracle CVE-2015-4824 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4823 (Unspecified vulnerability in the Hyperion Installation Technology comp ...) NOT-FOR-US: Oracle CVE-2015-4822 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4821 (Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) ...) NOT-FOR-US: Oracle CVE-2015-4820 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4819 (Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.21-3 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4818 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-4817 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4816 (Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier al ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 (Only affects MySQL 5.5) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.21-3 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4815 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4814 REJECTED CVE-2015-4813 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3384-1} - virtualbox 5.0.8-dfsg-1 - virtualbox-ose [squeeze] - virtualbox-ose (No longer supported in Squeeze LTS) CVE-2015-4812 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4811 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4810 (Unspecified vulnerability in Oracle Java SE 7u85 and 8u60 allows local ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-4809 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4808 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4807 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) - mysql-5.6 (Only on Windows plattform) - mysql-5.5 (Only on Windows plattform) - mariadb-10.0 (Only on Windows plattform) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4806 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4805 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4804 (Unspecified vulnerability in the PeopleSoft Enterprise HCM Talent Acqu ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2015-4803 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Jav ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4802 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4801 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4800 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4799 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4798 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2015-4797 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2015-4796 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2015-4795 (Unspecified vulnerability in the Oracle Utilities Work and Asset Manag ...) NOT-FOR-US: Oracle Industry Applications CVE-2015-4794 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2015-4793 (Unspecified vulnerability in the Oracle Communications Convergence com ...) NOT-FOR-US: Oracle Communications Applications CVE-2015-4792 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4791 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 (Only on Windows plattform) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4790 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4789 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4788 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4787 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4786 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4785 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4784 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4783 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4782 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4781 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4780 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4779 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4778 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4777 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4776 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4775 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4774 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4773 (Unspecified vulnerability in the Hyperion Common Security component in ...) NOT-FOR-US: Oracle Hyperion CVE-2015-4772 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4771 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4770 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4769 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4768 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracal Supply Chain CVE-2015-4767 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4766 (Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4765 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle Applications Manager CVE-2015-4764 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4763 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-4762 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle E-Business Suite CVE-2015-4761 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4760 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allow ...) {DSA-3339-1 DSA-3323-1 DSA-3316-1 DLA-303-1 DLA-283-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 - icu 52.1-10 NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/3f9845510b47 NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-4759 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-4758 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-4757 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier an ...) {DSA-3311-1} - mysql-5.6 5.6.25-2 - mysql-5.5 5.5.43-0+deb8u1 NOTE: mysql-5.5 5.5.43 was not uploaded to unstable, bug migrated to unstable due to upload to jessie-security [jessie] - mysql-5.5 5.5.43-0+deb8u1 [wheezy] - mysql-5.5 5.5.43-0+deb7u1 - mariadb-10.0 10.0.19-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4756 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4755 (Unspecified vulnerability in the RDBMS Security component in Oracle Da ...) NOT-FOR-US: Oracle Database Server CVE-2015-4754 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4753 (Unspecified vulnerability in the RDBMS Support Tools component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2015-4752 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3311-1 DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4751 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion CVE-2015-4750 (Unspecified vulnerability in the Oracle VM Server for SPARC component ...) NOT-FOR-US: Oracle VM Server CVE-2015-4749 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRoc ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of Java." CVE-2015-4748 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRoc ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of Java." CVE-2015-4747 (Unspecified vulnerability in the Oracle Event Processing component in ...) NOT-FOR-US: Oracle Fusion CVE-2015-4746 (Unspecified vulnerability in the Oracle Agile Product Lifecycle Manage ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-4745 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-4744 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2015-4743 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle E-Business CVE-2015-4742 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle Fusion CVE-2015-4741 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business CVE-2015-4740 (Unspecified vulnerability in the RDBMS Partitioning component in Oracl ...) NOT-FOR-US: Oracle Database Server CVE-2015-4739 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business CVE-2015-4738 (Unspecified vulnerability in the PeopleSoft Enterprise HCM Candidate G ...) NOT-FOR-US: Oracle PeopleSoft CVE-2015-4737 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier, a ...) {DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 NOTE: Possibly related to https://github.com/mysql/mysql-server/commit/c655515d NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL NOTE: https://lists.launchpad.net/maria-developers/msg08985.html NOTE: https://mariadb.atlassian.net/browse/MDEV-8269 NOTE: Marked as not-affected for MariaDB since Oracle has given no evidence of NOTE: affecting MariaDB to their developers. CVE-2015-4736 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows remot ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-4735 (Unspecified vulnerability in the Enterprise Manager for Oracle Databas ...) NOT-FOR-US: Oracle Database CVE-2015-4734 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4733 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-4732 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-4731 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; Java ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-4730 (Unspecified vulnerability in Oracle MySQL 5.6.20 and earlier allows re ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4729 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows remot ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-4728 (Unspecified vulnerability in the Oracle Sourcing component in Oracle E ...) NOT-FOR-US: Oracle E-Business CVE-2015-4727 (Unspecified vulnerability in Oracle Virtualization Sun Ray Software be ...) NOT-FOR-US: Oracle Virtulization CVE-2015-4726 (PHP remote file inclusion vulnerability in ajax/myajaxphp.php in Audio ...) NOT-FOR-US: AudioShare CVE-2015-4725 (Cross-site scripting (XSS) vulnerability in forgot.php in AudioShare 2 ...) NOT-FOR-US: AudioShare CVE-2015-4724 (SQL injection vulnerability in Concrete5 5.7.3.1. ...) NOT-FOR-US: Concrete5 CVE-2015-4723 RESERVED CVE-2015-4722 RESERVED CVE-2015-4721 (Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3 ...) NOT-FOR-US: Concrete5 CVE-2015-4720 REJECTED CVE-2015-4719 (The client API authentication mechanism in Pexip Infinity before 10 al ...) NOT-FOR-US: Pexip Infinity CVE-2015-4718 (The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x ...) {DSA-3373-1} - owncloud 7.0.6+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-008 NOTE: https://github.com/owncloud/core/commit/200e9d949783efbd57f39acedebc03924c1dfff4 CVE-2015-4717 (The filename sanitization component in ownCloud Server before 6.0.8, 7 ...) {DSA-3373-1} - owncloud 7.0.6+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-007 NOTE: https://github.com/owncloud/core/commit/5fa749cd9656ca6eab30bac0ef4e7625b8a8be2e CVE-2015-4716 (Directory traversal vulnerability in the routing component in ownCloud ...) {DSA-3373-1} - owncloud 7.0.6+dfsg-1 (unimportant) NOTE: Specific to installations on Windows NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-006 CVE-2015-4715 (The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownClo ...) - php-dropbox 1.0.0-4 (unimportant) [jessie] - php-dropbox 1.0.0-3+deb8u1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-005 NOTE: Only relevant if server runs PHP below 5.6.0 CVE-2015-4714 (Cross-site scripting (XSS) vulnerability in the DreamBox DM500-S allow ...) NOT-FOR-US: DreamBox DM500-S CVE-2015-4713 (SQL injection vulnerability in ApPHP Hotel Site 3.x.x allows remote ed ...) NOT-FOR-US: ApPHP Hotel Site CVE-2015-4712 RESERVED CVE-2015-4711 RESERVED CVE-2015-4710 RESERVED CVE-2015-4709 REJECTED CVE-2015-4708 RESERVED CVE-2015-4705 RESERVED CVE-2015-4702 RESERVED CVE-2015-4701 RESERVED CVE-2015-4699 (Cross-site scripting (XSS) vulnerability in the Splash Portal in Cloud ...) NOT-FOR-US: Cloud4Wi CVE-2015-4698 RESERVED CVE-2015-4697 (Cross-site request forgery (CSRF) vulnerability in Google Analyticator ...) NOT-FOR-US: WordPress plugin google-analyticator CVE-2015-4694 (Directory traversal vulnerability in download.php in the Zip Attachmen ...) NOT-FOR-US: Zip Attachments plugin for WordPress CVE-2015-4693 RESERVED CVE-2015-4691 RESERVED CVE-2015-4690 RESERVED CVE-2015-4689 (Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows ...) NOT-FOR-US: Ellucian (formerly SunGard) Banner Student CVE-2015-4688 (Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allow r ...) NOT-FOR-US: Ellucian (formerly SunGard) Banner Student CVE-2015-4687 (Cross-site scripting (XSS) vulnerability in Ellucian (formerly SunGard ...) NOT-FOR-US: Ellucian (formerly SunGard) Banner Student CVE-2015-4686 RESERVED CVE-2015-4685 (Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows loc ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4684 (Multiple directory traversal vulnerabilities in Polycom RealPresence R ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4683 (Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows att ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4682 (Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows rem ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4681 (Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows loc ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4679 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Airties RT-210 CVE-2015-4678 (SQL injection vulnerability in Persian Car CMS 1.0 allows remote attac ...) NOT-FOR-US: Persian Car CMS CVE-2015-4677 (Cross-site request forgery (CSRF) vulnerability in FiverrScript (aka F ...) NOT-FOR-US: FiverrScript CVE-2015-4676 (SQL injection vulnerability in ticket.php in TickFa 1.x allows remote ...) NOT-FOR-US: TickFa CVE-2015-4675 (Buffer overflow in the Tiny SRP library (aka TinySRP) allows remote at ...) NOT-FOR-US: Tiny SRP CVE-2015-5070 (The (1) filesystem::get_wml_location function in filesystem.cpp and (2 ...) {DLA-297-1} [experimental] - wesnoth-1.13 1:1.13.1-1 - wesnoth-1.12 1:1.12.4-1 - wesnoth-1.10 [jessie] - wesnoth-1.10 1:1.10.7-2+deb8u1 [wheezy] - wesnoth-1.10 1:1.10.3-3+deb7u2 - wesnoth-1.8 NOTE: https://github.com/wesnoth/wesnoth/commit/b2738ffb2fdd2550ececb74f76f75583c43c8b59 CVE-2015-5069 (The (1) filesystem::get_wml_location function in filesystem.cpp and (2 ...) {DLA-297-1} [experimental] - wesnoth-1.13 1:1.13.1-1 - wesnoth-1.12 1:1.12.4-1 - wesnoth-1.10 [jessie] - wesnoth-1.10 1:1.10.7-2+deb8u1 [wheezy] - wesnoth-1.10 1:1.10.3-3+deb7u2 - wesnoth-1.8 NOTE: https://github.com/wesnoth/wesnoth/commit/f8914468182e8d0a1551b430c0879ba236fe4d6d CVE-2015-5059 (The "Project Documentation" feature in MantisBT 1.2.19 and earlier, wh ...) - mantis [wheezy] - mantis (Minor issue) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/f39cf525 (1.2.x) NOTE: https://mantisbt.org/bugs/view.php?id=19873 CVE-2015-5057 (Cross-site scripting (XSS) vulnerability exists in the Wordpress admin ...) NOT-FOR-US: WordPress plugin broken-link-checker CVE-2015-4707 (Cross-site scripting (XSS) vulnerability in IPython before 3.2 allows ...) - ipython 2.4.1-1 (bug #789824) [jessie] - ipython (Minor issue) [wheezy] - ipython (Problematic code introduced in rel-2.0.0) [squeeze] - ipython (Problematic code introduced in rel-2.0.0) NOTE: https://github.com/ipython/ipython/commit/1fcc9943c000ab553ebc029db99ecbd0536960d6 NOTE: https://www.openwall.com/lists/oss-security/2015/06/22/4 CVE-2015-4706 (Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 all ...) - ipython (Only affects 3.x) CVE-2015-4704 (Directory traversal vulnerability in the Download Zip Attachments plug ...) NOT-FOR-US: WordPress plugin download-zip-attachments CVE-2015-4703 (Absolute path traversal vulnerability in mysqldump_download.php in the ...) NOT-FOR-US: WordPress plugin wp-instance-rename CVE-2015-4700 (The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the ...) {DSA-3329-1} - linux 4.0.7-1 - linux-2.6 [squeeze] - linux-2.6 (Introduced in v3.0-rc1) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3f7352bf21f8fd7ba3e2fcef9488756f188e12be (v4.1-rc6) NOTE: Introduced in: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a14842f5a3c0e88a1e59fac5c3025db39721f74 (v3.0-rc1) CVE-2015-4696 (Use-after-free vulnerability in libwmf 0.2.8.4 allows remote attackers ...) {DSA-3302-1 DLA-257-1} - libwmf 0.2.8.4-10.4 (bug #784192) CVE-2015-4695 (meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of ...) {DSA-3302-1 DLA-257-1} - libwmf 0.2.8.4-10.4 (bug #784205) CVE-2015-4680 (FreeRADIUS 2.2.x before 2.2.8 and 3.0.x before 3.0.9 does not properly ...) {DLA-977-1} - freeradius 2.2.8+dfsg-0.1 (bug #789623) [jessie] - freeradius (Minor issue) [squeeze] - freeradius (Minor issue) NOTE: Recommended configuration is to use self-signed CAs for EAP-TLS methods. NOTE: See raddb/certs/README NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/5e698b407dcac2bc45cf03484bac4398109d25c3 (v2.x.x branch) NOTE: http://www.ocert.org/advisories/ocert-2015-008.html CVE-2015-4674 (The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows re ...) NOT-FOR-US: TimeDoctor Pro CVE-2015-4673 (Multiple cross-site scripting (XSS) vulnerabilities in ClipBucket 2.7. ...) NOT-FOR-US: ClipBucket CVE-2015-4672 RESERVED CVE-2015-4671 (Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 al ...) NOT-FOR-US: OpenCart CVE-2015-4670 (Directory traversal vulnerability in the AjaxFileUpload control in Dev ...) NOT-FOR-US: AjaxControlToolkit CVE-2015-4669 (The MySQL "root" user in Xsuite 2.x does not have a password set, whic ...) NOT-FOR-US: Xsuite CVE-2015-4668 (Open redirect vulnerability in Xsuite 2.4.4.5 and earlier allows remot ...) NOT-FOR-US: Xsuite CVE-2015-4667 (Multiple hardcoded credentials in Xsuite 2.x. ...) NOT-FOR-US: Xsuite CVE-2015-4666 (Directory traversal vulnerability in opm/read_sessionlog.php in Xceedi ...) NOT-FOR-US: Xceedium Xsuite CVE-2015-4665 (Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium X ...) NOT-FOR-US: Xceedium Xsuite CVE-2015-4664 (An improper input validation vulnerability in CA Privileged Access Man ...) NOT-FOR-US: CA Privileged Access Manager CVE-2015-4663 RESERVED - hhvm 3.11.0+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/e282a459188a472e177b45ad2d2989289294df74 CVE-2015-4662 RESERVED CVE-2015-4661 (Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows ...) NOT-FOR-US: Symphony CMS CVE-2015-4660 (Cross-site scripting (XSS) vulnerability in Enhanced SQL Portal 5.0.79 ...) NOT-FOR-US: Enhanced SQL Portal CVE-2015-4659 (Cross-site request forgery (CSRF) vulnerability in ClickHeat 1.14 and ...) NOT-FOR-US: ClickHeat CVE-2015-4658 (Multiple SQL injection vulnerabilities in admin/login.php in Milw0rm C ...) NOT-FOR-US: Milw0rm Clone Script CVE-2015-4657 (Cross-site scripting (XSS) vulnerability in Mailbird 2.0.16.0 and earl ...) NOT-FOR-US: Mailbird CVE-2015-4656 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo ...) NOT-FOR-US: Synology Photo Station CVE-2015-4655 (Cross-site scripting (XSS) vulnerability in Synology DiskStation Manag ...) NOT-FOR-US: Synology DiskStation Manager CVE-2015-4654 (SQL injection vulnerability in the EQ Event Calendar component for Joo ...) NOT-FOR-US: EQ Event Calendar component for Joomla! CVE-2015-4653 RESERVED CVE-2015-4650 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-4649 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-4648 (Stack-based buffer overflow in the Ipropsapi.ipropsapiCtrl.1 ActiveX c ...) NOT-FOR-US: Pansonic Security API CVE-2015-4647 (Multiple stack-based buffer overflows in Ipropsapi in Panasonic Securi ...) NOT-FOR-US: Pansonic Security API CVE-2015-4641 (Directory traversal vulnerability in the SwiftKey language-pack update ...) NOT-FOR-US: SwiftKey language-pack update implementation on Samsung devices CVE-2015-4640 (The SwiftKey language-pack update implementation on Samsung Galaxy S4, ...) NOT-FOR-US: SwiftKey language-pack update implementation on Samsung devices CVE-2015-4652 (epan/dissectors/packet-gsm_a_dtap.c in the GSM DTAP dissector in Wires ...) {DSA-3294-1} - wireshark 1.12.6+gee1fce6-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: http://www.wireshark.org/security/wnpa-sec-2015-20.html CVE-2015-4651 (The dissect_wccp2r1_address_table_info function in epan/dissectors/pac ...) {DSA-3294-1} - wireshark 1.12.6+gee1fce6-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: http://www.wireshark.org/security/wnpa-sec-2015-19.html CVE-2015-4646 ((1) unsquash-1.c, (2) unsquash-2.c, (3) unsquash-3.c, and (4) unsquash ...) - squashfs-tools 1:4.3-2 (bug #793468) [jessie] - squashfs-tools (Minor issue) [wheezy] - squashfs-tools (Minor issue) [squeeze] - squashfs-tools (Minor issue) NOTE: https://github.com/plougher/squashfs-tools/commit/f95864afe8833fe3ad782d714b41378e860977b1 NOTE: https://github.com/plougher/squashfs-tools/commit/ba215d73e153a6f237088b4ecb88c702bb4d4183 NOTE: Further more complete fixes went into 1:4.3+git190815-1 CVE-2015-4645 (Integer overflow in the read_fragment_table_4 function in unsquash-4.c ...) - squashfs-tools 1:4.3-2 (bug #793467) [jessie] - squashfs-tools (Minor issue) [wheezy] - squashfs-tools (Minor issue) [squeeze] - squashfs-tools (Minor issue) NOTE: https://github.com/plougher/squashfs-tools/commit/f95864afe8833fe3ad782d714b41378e860977b1 NOTE: https://github.com/plougher/squashfs-tools/commit/ba215d73e153a6f237088b4ecb88c702bb4d4183 NOTE: Further more complete fixes went into 1:4.3+git190815-1 CVE-2015-4642 (The escapeshellarg function in ext/standard/exec.c in PHP before 5.4.4 ...) - php5 (Windows specific) NOTE: https://bugs.php.net/bug.php?id=69646 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=d2ac264ffea5ca2e85640b6736e0c7cd4ee9a4a9 NOTE: https://www.openwall.com/lists/oss-security/2015/06/18/3 CVE-2015-4643 (Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP b ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: Fixed in 5.6.10 / 5.5.26 / 5.4.42 NOTE: https://bugs.php.net/bug.php?id=69545#1431550655 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=0765623d6991b62ffcd93ddb6be8a5203a2fa7e2 NOTE: https://www.openwall.com/lists/oss-security/2015/06/18/3 CVE-2015-4644 (The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgs ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: Fixed in 5.6.10 / 5.5.26 / 5.4.42 NOTE: https://bugs.php.net/bug.php?id=69667 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64 NOTE: https://www.openwall.com/lists/oss-security/2015/06/18/3 CVE-2015-4639 (Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl ...) NOT-FOR-US: Koha CVE-2015-4638 (The FastL4 virtual server in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ...) NOT-FOR-US: FastL4 CVE-2015-4637 (The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 ...) NOT-FOR-US: BIG-IQ CVE-2015-4636 RESERVED CVE-2015-4635 RESERVED CVE-2015-4634 (SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allow ...) {DSA-3312-1 DLA-278-1} - cacti 0.8.8e+ds1-1 NOTE: http://bugs.cacti.net/view.php?id=2577 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-4633 (Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, ...) - koha (bug #389876) CVE-2015-4632 (Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.1 ...) - koha (bug #389876) CVE-2015-4631 (Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x bef ...) - koha (bug #389876) CVE-2015-4630 (Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.1 ...) - koha (bug #389876) CVE-2015-4629 (Huawei E5756S before V200R002B146D23SP00C00 allows remote attackers to ...) NOT-FOR-US: Huawei CVE-2015-4628 (SQL injection vulnerability in application/controllers/admin/questiong ...) - limesurvey (bug #472802) CVE-2015-4627 (SQL injection vulnerability in Pragyan CMS 3.0. ...) NOT-FOR-US: Pragyan CMS CVE-2015-4626 (B.A.S C2Box before 4.0.0 (r19171) relies on client-side validation, wh ...) NOT-FOR-US: B.A.S C2Box CVE-2015-4624 (Hak5 WiFi Pineapple 2.0 through 2.3 uses predictable CSRF tokens. ...) NOT-FOR-US: Hak5 WiFi Pineapple CVE-2015-4623 RESERVED CVE-2015-4622 RESERVED CVE-2015-4621 RESERVED CVE-2015-4620 (name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9. ...) {DSA-3304-1 DLA-270-1} - bind9 1:9.9.5.dfsg-10 (bug #791715) NOTE: https://kb.isc.org/article/AA-01267 CVE-2015-4619 (Cross-site request forgery (CSRF) vulnerability in Spina before commit ...) NOT-FOR-US: Spina CMS CVE-2015-4618 RESERVED CVE-2015-4617 (Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpl ...) NOT-FOR-US: WordPress plugin easy2map-photos CVE-2015-4616 (Directory traversal vulnerability in includes/MapPinImageSave.php in t ...) NOT-FOR-US: Easy2Map plugin for WordPress CVE-2015-4615 (Vulnerability in Easy2map-photos WordPress Plugin v1.09 allows SQL Inj ...) NOT-FOR-US: WordPress plugin easy2map-photos CVE-2015-4614 (Multiple SQL injection vulnerabilities in includes/Function.php in the ...) NOT-FOR-US: Easy2Map plugin for WordPress CVE-2015-4613 (SQL injection vulnerability in the backend module in the Developer Log ...) NOT-FOR-US: TYPO3 extension devlog CVE-2015-4612 (SQL injection vulnerability in the "FAQ - Frequently Asked Questions" ...) NOT-FOR-US: TYPO3 extension js_faq CVE-2015-4611 (SQL injection vulnerability in the Smoelenboek (ncgov_smoelenboek) ext ...) NOT-FOR-US: TYPO3 extension ncgov_smoelenboek CVE-2015-4610 (SQL injection vulnerability in the Store Locator (locator) extension b ...) NOT-FOR-US: TYPO3 extension locator CVE-2015-4609 (SQL injection vulnerability in the wt_directory extension before 1.4.2 ...) NOT-FOR-US: TYPO3 extension wt_directory CVE-2015-4608 (Cross-site scripting (XSS) vulnerability in the BE User Log (beko_beus ...) NOT-FOR-US: TYPO3 extension beko_beuserlog CVE-2015-4607 (Unrestricted file upload vulnerability in the Frontend User Upload (fe ...) NOT-FOR-US: TYPO3 extension feupload CVE-2015-4606 (Unrestricted file upload vulnerability in the Job Fair (jobfair) exten ...) NOT-FOR-US: TYPO3 extension jobfair CVE-2015-4597 RESERVED CVE-2015-4596 (Lenovo Mouse Suite before 6.73 allows local users to run arbitrary cod ...) NOT-FOR-US: Lenovo CVE-2015-4595 RESERVED CVE-2015-4594 (eClinicalWorks Population Health (CCMR) suffers from a session fixatio ...) NOT-FOR-US: eClinicalWorks Population Health CVE-2015-4593 (eClinicalWorks Population Health (CCMR) suffers from a cross-site requ ...) NOT-FOR-US: eClinicalWorks Population Health CVE-2015-4592 (eClinicalWorks Population Health (CCMR) suffers from an SQL injection ...) NOT-FOR-US: eClinicalWorks Population Health CVE-2015-4591 (eClinicalWorks Population Health (CCMR) suffers from a cross site scri ...) NOT-FOR-US: eClinicalWorks Population Health CVE-2015-4590 (The extractFrom function in Internals/QuotedString.cpp in Arduino JSON ...) NOT-FOR-US: Arduino JSON CVE-2015-4589 RESERVED CVE-2015-4587 (Cross-site scripting (XSS) vulnerability in the Alcatel-Lucent CellPip ...) NOT-FOR-US: Alcatel-Lucent CellPipe 7130 router CVE-2015-4586 (Cross-site request forgery (CSRF) vulnerability in Alcatel-Lucent Cell ...) NOT-FOR-US: Alcatel-Lucent CellPipe 7130 RG 5Ae.M2013 HOL CVE-2015-4585 RESERVED CVE-2015-4584 RESERVED CVE-2015-4583 RESERVED CVE-2015-4582 RESERVED CVE-2015-4581 RESERVED CVE-2015-4580 RESERVED CVE-2015-4579 RESERVED CVE-2015-4578 RESERVED CVE-2015-4577 RESERVED CVE-2015-4576 RESERVED CVE-2015-4575 RESERVED CVE-2015-4574 RESERVED CVE-2015-4573 RESERVED CVE-2015-4572 RESERVED CVE-2015-4571 RESERVED CVE-2015-4570 RESERVED CVE-2015-4569 RESERVED CVE-2015-4568 RESERVED CVE-2015-4567 RESERVED CVE-2015-4566 RESERVED CVE-2015-4565 RESERVED CVE-2015-4564 RESERVED CVE-2015-4563 RESERVED CVE-2015-4562 RESERVED CVE-2015-4561 RESERVED CVE-2015-4560 RESERVED CVE-2015-4559 (Cross-site scripting (XSS) vulnerability in the product deployment fea ...) NOT-FOR-US: Intel McAfee ePolicy Orchestrator CVE-2015-4558 RESERVED CVE-2015-4557 (Cross-site scripting (XSS) vulnerability in the new_Twitter_sign_butto ...) NOT-FOR-US: WordPress plugin nextend-twitter-connect CVE-2015-4555 (Buffer overflow in the HTTP administrative interface in TIBCO Rendezvo ...) NOT-FOR-US: TIBCO CVE-2015-4554 (Multiple unspecified vulnerabilities in TIBCO Spotfire Client and Spot ...) NOT-FOR-US: TIBCO CVE-2015-4553 (A file upload issue exists in DeDeCMS before 5.7-sp1, which allows mal ...) NOT-FOR-US: DeDeCMS CVE-2015-4552 (Cross-site scripting (XSS) vulnerability in the quick edit function in ...) NOT-FOR-US: MyBB CVE-2015-4551 (LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 uses the s ...) {DSA-3394-1} - libreoffice 1:5.0.1~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2015-4551/ CVE-2015-4550 (The Cavium cryptographic-module firmware on Cisco Adaptive Security Ap ...) NOT-FOR-US: Cisco CVE-2015-4549 RESERVED CVE-2015-4548 (EMC RSA Web Threat Detection before 5.1 SP1 allows local users to obta ...) NOT-FOR-US: EMC RSA Web Threat Detection CVE-2015-4547 (EMC RSA Web Threat Detection before 5.1 SP1 stores a cleartext AnnoDB ...) NOT-FOR-US: EMC RSA Web Threat Detection CVE-2015-4546 (Directory traversal vulnerability in EMC RSA OneStep 6.9 before build ...) NOT-FOR-US: EMC RSA OneStep CVE-2015-4545 (EMC Isilon OneFS 7.1 before 7.1.1.8, 7.2.0 before 7.2.0.4, and 7.2.1 b ...) NOT-FOR-US: EMC Isilon OneFS CVE-2015-4544 (EMC Documentum Content Server before 7.1P20 and 7.2.x before 7.2P04 do ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4543 (EMC RSA Archer GRC 5.x before 5.5.3 uses cleartext for stored password ...) NOT-FOR-US: EMC RSA Archer GRC CVE-2015-4542 (EMC RSA Archer GRC 5.x before 5.5.3 allows remote authenticated users ...) NOT-FOR-US: EMC RSA Archer GRC CVE-2015-4541 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer ...) NOT-FOR-US: EMC RSA Archer GRC CVE-2015-4540 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Identit ...) NOT-FOR-US: EMC RSA CVE-2015-4539 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Identit ...) NOT-FOR-US: EMC RSA CVE-2015-4538 (The XML parser in EMC Atmos before 2.2.3.426 and 2.3.x before 2.3.1.0 ...) NOT-FOR-US: EMC Atmos CVE-2015-4537 (Lockbox in EMC Documentum D2 before 4.5 uses a hardcoded passphrase wh ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-4536 (EMC Documentum Content Server before 7.0 P20, 7.1 before P18, and 7.2 ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4535 (Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4534 (Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4533 (EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7. ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4532 (EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7. ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4531 (EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7. ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4530 (Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebT ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4529 (Open redirect vulnerability in EMC Documentum WebTop before 6.8P02, Do ...) NOT-FOR-US: EMC Documentum WebTop CVE-2015-4528 (Cross-site scripting (XSS) vulnerability in EMC Documentum CenterStage ...) NOT-FOR-US: EMC Documentum CenterStage CVE-2015-4527 (Directory traversal vulnerability in EMC Avamar Server 7.x before 7.1. ...) NOT-FOR-US: EMC Avamar CVE-2015-4526 (EMC RecoverPoint for Virtual Machines (VMs) 4.2 allows local users to ...) NOT-FOR-US: EMC RecoverPoint CVE-2015-4525 (The log-gather implementation in the web administration interface in E ...) NOT-FOR-US: EMC Isilon OneFS CVE-2015-4524 (Unrestricted file upload vulnerability in EMC Documentum WebTop 6.7SP1 ...) NOT-FOR-US: EMC Documentum WebTop Client CVE-2015-4523 (Blue Coat Malware Analysis Appliance (MAA) before 4.2.5 and Malware An ...) NOT-FOR-US: Blue Coat CVE-2015-4522 (The nsUnicodeToUTF8::GetMaxLength function in Mozilla Firefox before 4 ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-4521 (The ConvertDialogOptions function in Mozilla Firefox before 41.0 and F ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-4520 (Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow rem ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-111/ CVE-2015-4519 (Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow use ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/ CVE-2015-4518 (The Reader View implementation in Mozilla Firefox before 42.0 has an i ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-118/ CVE-2015-4517 (NetworkUtils.cpp in Mozilla Firefox before 41.0 and Firefox ESR 38.x b ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-4516 (Mozilla Firefox before 41.0 allows remote attackers to bypass certain ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-109/ CVE-2015-4515 (Mozilla Firefox before 42.0, when NTLM v1 is enabled for HTTP authenti ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-117/ CVE-2015-4514 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-116/ CVE-2015-4513 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-116/ CVE-2015-4512 (gfx/2d/DataSurfaceHelpers.cpp in Mozilla Firefox before 41.0 on Linux ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-107/ CVE-2015-4511 (Heap-based buffer overflow in the nestegg_track_codec_data function in ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-105/ CVE-2015-4510 (Race condition in the WorkerPrivate::NotifyFeatures function in Mozill ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-104/ CVE-2015-4509 (Use-after-free vulnerability in the HTMLVideoElement interface in Mozi ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-106/ CVE-2015-4508 (Mozilla Firefox before 41.0, when reader mode is enabled, allows remot ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-103/ CVE-2015-4507 (The SavedStacks class in the JavaScript implementation in Mozilla Fire ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-102/ CVE-2015-4506 (Buffer overflow in the vp9_init_context_buffers function in libvpx, as ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel - libvpx 1.4.0-4 (unimportant) [squeeze] - libvpx (no vp9 support in this version) [wheezy] - libvpx (no vp9 support in this version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-101/ NOTE: this is a duplicate of CVE-2015-1258, libvpx in google chrome CVE-2015-4505 (updater.exe in Mozilla Firefox before 41.0 and Firefox ESR 38.x before ...) - iceweasel (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-100/ CVE-2015-4504 (The lut_inverse_interp16 function in the QCMS library in Mozilla Firef ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-98/ CVE-2015-4503 (The TCP Socket API implementation in Mozilla Firefox before 41.0 misha ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/ CVE-2015-4502 (js/src/proxy/Proxy.cpp in Mozilla Firefox before 41.0 mishandles certa ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-108/ CVE-2015-4501 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/ CVE-2015-4500 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/ CVE-2015-4499 (Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x b ...) - bugzilla4 (bug #669643) - bugzilla [squeeze] - bugzilla (Not supported in Squeeze LTS) CVE-2015-4498 (The add-on installation feature in Mozilla Firefox before 40.0.3 and F ...) {DSA-3345-1} - iceweasel 38.2.1esr-1 [squeeze] - iceweasel (Not supported in Squeeze LTS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-95 CVE-2015-4497 (Use-after-free vulnerability in the CanvasRenderingContext2D implement ...) {DSA-3345-1} - iceweasel 38.2.1esr-1 [squeeze] - iceweasel (Not supported in Squeeze LTS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/ CVE-2015-4496 (Multiple integer overflows in libstagefright in Mozilla Firefox before ...) - iceweasel 38.0-1 [jessie] - iceweasel 38.2.0esr-1~deb8u1 [wheezy] - iceweasel 38.2.0esr-1~deb7u1 [squeeze] - iceweasel (Not supported in Squeeze LTS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-93/ CVE-2015-4495 (The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x befo ...) - iceweasel 38.1.1esr-1 [jessie] - iceweasel (Only affects 38.x ESR and 39) [wheezy] - iceweasel (Only affects 38.x ESR and 39) [squeeze] - iceweasel (Only affects 38.x ESR and 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/ - pdf.js 1.1.366+dfsg-1 [jessie] - pdf.js 1.0.907+dfsg-1+deb8u1 NOTE: for jessie: xul-ext-pdf.js binary package build was removed NOTE: https://github.com/mozilla/pdf.js/commit/0b5330781c367fcbc997947adbf2bdcdf71f61bc NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1179262 CVE-2015-4494 (Mozilla Firefox OS before 2.2 does not require the wifi-manage privile ...) NOT-FOR-US: Firefox OS CVE-2015-4493 (Heap-based buffer overflow in the stagefright::ESDS::parseESDescriptor ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/ CVE-2015-4492 (Use-after-free vulnerability in the XMLHttpRequest::Open implementatio ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/ CVE-2015-4491 (Integer overflow in the make_filter_table function in pixops/pixops.c ...) {DSA-3337-2 DSA-3337-1 DLA-434-1} - gdk-pixbuf 2.31.7-1 - gtk+2.0 2.21.5-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=752297 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=ffec86ed5010c5a2be14f47b33bcf4ed3169a199 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=8dba67cb4f38d62a47757741ad41e3f245b4a32a NOTE: https://www.openwall.com/lists/oss-security/2015/07/17/17 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/ NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and build-depends on external gdk-pixbuf CVE-2015-4490 (The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp in M ...) - iceweasel (Only affects Firefox 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-91 CVE-2015-4489 (The nsTArray_Impl class in Mozilla Firefox before 40.0, Firefox ESR 38 ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel - icedove 38.3.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ CVE-2015-4488 (Use-after-free vulnerability in the StyleAnimationValue class in Mozil ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel - icedove 38.3.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ CVE-2015-4487 (The nsTSubstring::ReplacePrep function in Mozilla Firefox before 40.0, ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel - icedove 38.3.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ CVE-2015-4486 (The decrease_ref_count function in libvpx in Mozilla Firefox before 40 ...) - libvpx 1.4.0-1 [jessie] - libvpx (Vulnerable code not present) [wheezy] - libvpx (Vulnerable code not present) [squeeze] - libvpx (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1177948 is restricted CVE-2015-4485 (Heap-based buffer overflow in the resize_context_buffers function in l ...) - libvpx 1.4.0-1 [jessie] - libvpx (Vulnerable code not present) [wheezy] - libvpx (Vulnerable code not present) [squeeze] - libvpx (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1178148 is restricted CVE-2015-4484 (The js::jit::AssemblerX86Shared::lock_addl function in the JavaScript ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/ CVE-2015-4483 (Mozilla Firefox before 40.0 allows man-in-the-middle attackers to bypa ...) - iceweasel (Only affects Firefox 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-86/ CVE-2015-4482 (mar_read.c in the Updater in Mozilla Firefox before 40.0 and Firefox E ...) - iceweasel (Updater not used in Debian) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-85/ CVE-2015-4481 (Race condition in the Mozilla Maintenance Service in Mozilla Firefox b ...) - iceweasel (Only affects Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-84/ CVE-2015-4480 (Integer overflow in the stagefright::SampleTable::isValid function in ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/ CVE-2015-4479 (Multiple integer overflows in libstagefright in Mozilla Firefox before ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/ CVE-2015-4478 (Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not im ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/ CVE-2015-4477 (Use-after-free vulnerability in the MediaStream playback feature in Mo ...) - iceweasel (Only affects Firefox 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-81/ CVE-2015-4476 (Mozilla Firefox before 41.0 on Android allows user-assisted remote att ...) - iceweasel (Affects only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-99/ CVE-2015-4475 (The mozilla::AudioSink function in Mozilla Firefox before 40.0 and Fir ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/ CVE-2015-4474 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 39) - icedove (Only affects Firefox 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/ CVE-2015-4473 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel - icedove 38.3.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/ CVE-2015-4466 RESERVED CVE-2015-4465 (Cross-site scripting (XSS) vulnerability in the zM Ajax Login & Re ...) NOT-FOR-US: WordPress plugin zM Ajax Login & Register CVE-2015-4464 (Kguard Digital Video Recorder 104, 108, v2 does not have any authoriza ...) NOT-FOR-US: Kguard Digital Video Recorder CVE-2015-4463 (The file_manager component in eFront CMS before 3.6.15.5 allows remote ...) NOT-FOR-US: eFront CMS CVE-2015-4462 (Absolute path traversal vulnerability in the file_manager component of ...) NOT-FOR-US: eFront CMS CVE-2015-4461 (Absolute path traversal vulnerability in eFront CMS 3.6.15.4 and earli ...) NOT-FOR-US: eFront CMS CVE-2015-4460 (Cross-site request forgery (CSRF) vulnerability in SecuritySetting/Use ...) NOT-FOR-US: C2Box CVE-2015-4459 RESERVED CVE-2015-4458 (The TLS implementation in the Cavium cryptographic-module firmware, as ...) NOT-FOR-US: Cisco CVE-2015-4603 (The exception::getTraceAsString function in Zend/zend_exceptions.c in ...) - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69152 [2015-03-03 04:30 UTC] CVE-2015-4602 (The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=fb83c76deec58f1fab17c350f04c9f042e5977d1 NOTE: https://bugs.php.net/bug.php?id=69152 CVE-2015-4601 (PHP before 5.6.7 might allow remote attackers to cause a denial of ser ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8 NOTE: https://bugs.php.net/bug.php?id=69152 CVE-2015-4600 (The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.2 ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8 NOTE: https://bugs.php.net/bug.php?id=69152 CVE-2015-4599 (The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4. ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69152 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=51856a76f87ecb24fe1385342be43610fb6c86e4 CVE-2015-4598 (PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does n ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69719 NOTE: Fixed in 5.6.10 and 5.4.42 upstream CVE-2015-4588 (Heap-based buffer overflow in the DecodeImage function in libwmf 0.2.8 ...) {DSA-3302-1 DLA-253-1} - libwmf 0.2.8.4-10.4 (bug #787644) CVE-2015-4556 (The string-translate* procedure in the data-structures unit in CHICKEN ...) - chicken 4.10.0-1 (bug #788833) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/06/15/1 CVE-2015-2967 (Cross-site scripting (XSS) vulnerability in settings.php in Cacti befo ...) {DSA-3295-1 DLA-255-1} - cacti 0.8.8d+ds1-1 [squeeze] - cacti 0.8.7g-1+squeeze6 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7718 NOTE: http://jvn.jp/en/jp/JVN78187936/ NOTE: Fixed upstream in 0.8.8d CVE-2015-4457 (Multiple cross-site scripting (XSS) vulnerabilities in the Cloudera Ma ...) NOT-FOR-US: Cloudera CVE-2015-4456 (ownCloud Desktop Client before 1.8.2 does not call QNetworkReply::igno ...) {DSA-3363-1} - owncloud-client 1.8.4+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-009 CVE-2015-4455 (Unrestricted file upload vulnerability in includes/upload.php in the A ...) NOT-FOR-US: WordPress plugin aviary-image-editor-add-on-for-gravity-forms CVE-2015-4454 (SQL injection vulnerability in the get_hash_graph_template function in ...) {DSA-3295-1 DLA-255-1} - cacti 0.8.8d+ds1-1 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7720 NOTE: http://bugs.cacti.net/view.php?id=2572 NOTE: Fixed upstream in 0.8.8d CVE-2015-4453 (interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch ...) NOT-FOR-US: OpenEMR CVE-2015-4452 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4451 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4450 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4449 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4448 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4447 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4446 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4445 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4444 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4443 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4442 REJECTED CVE-2015-4441 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4440 REJECTED CVE-2015-4439 REJECTED CVE-2015-4438 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4437 REJECTED CVE-2015-4436 REJECTED CVE-2015-4435 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4434 REJECTED CVE-2015-4433 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4432 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4431 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4430 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4429 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4428 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4427 (Multiple cross-site scripting (XSS) vulnerabilities in Test/WorkArea/w ...) NOT-FOR-US: Ektron CMS CVE-2015-4426 (SQL injection vulnerability in pimcore before build 3473 allows remote ...) NOT-FOR-US: pimcore CVE-2015-4425 (Directory traversal vulnerability in pimcore before build 3473 allows ...) NOT-FOR-US: pimcore CVE-2015-4424 RESERVED CVE-2015-4423 RESERVED CVE-2015-4422 (The TEEOS module in Huawei Mate 7 (Mate7-TL10) smartphones before V100 ...) NOT-FOR-US: TEEOS module in Huawei Mate 7 CVE-2015-4421 (The tzdriver module in Huawei Mate 7 (Mate7-TL10) smartphones before V ...) NOT-FOR-US: tzdriver module in Huawei Mate 7 CVE-2015-4420 (Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 a ...) NOT-FOR-US: Opsview CVE-2015-4419 RESERVED CVE-2015-4418 (Zoho NetFlow Analyzer build 10250 and earlier does not have an off aut ...) NOT-FOR-US: Zoho NetFlow Analyzer CVE-2015-4417 RESERVED CVE-2015-4416 RESERVED CVE-2015-4415 (Multiple directory traversal vulnerabilities in func.php in Magnifica ...) NOT-FOR-US: Magnifica Webscripts Anima Gallery CVE-2015-4414 (Directory traversal vulnerability in download_audio.php in the SE HTML ...) NOT-FOR-US: WordPress plugin se-html5-album-audio-player CVE-2015-4413 (Cross-site scripting (XSS) vulnerability in the new_fb_sign_button fun ...) NOT-FOR-US: WordPress plugin nextend-facebook-connect CVE-2015-4409 (Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devi ...) NOT-FOR-US: Hikvision CVE-2015-4408 (Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devi ...) NOT-FOR-US: Hikvision CVE-2015-4407 (Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devi ...) NOT-FOR-US: Hikvision CVE-2015-4406 RESERVED CVE-2015-4405 RESERVED CVE-2015-4404 RESERVED CVE-2015-4403 RESERVED CVE-2015-4402 RESERVED CVE-2015-4401 RESERVED CVE-2015-4400 (Ring (formerly DoorBot) video doorbells allow remote attackers to obta ...) NOT-FOR-US: Ring video doorbells CVE-2015-4399 RESERVED CVE-2015-4398 (Open redirect vulnerability in the Chaos tool suite (ctools) module be ...) NOT-FOR-US: Drupal module Chaos tool suite CVE-2015-4397 (Cross-site request forgery (CSRF) vulnerability in the Node Template m ...) NOT-FOR-US: Drupal module Node Template CVE-2015-4396 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Keyw ...) NOT-FOR-US: Drupal module Keyword Research CVE-2015-4395 (The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal ...) NOT-FOR-US: Drupal module HybridAuth Social Login CVE-2015-4394 (The Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote a ...) NOT-FOR-US: Drupal module Services CVE-2015-4393 (The resource/endpoint for uploading files in the Services module 7.x-3 ...) NOT-FOR-US: Drupal module Services CVE-2015-4392 (Cross-site scripting (XSS) vulnerability in the Display Suite module 7 ...) NOT-FOR-US: Drupal module Display Suite CVE-2015-4391 (Cross-site request forgery (CSRF) vulnerability in the CiviCRM private ...) NOT-FOR-US: Drupal module CiviCRM CVE-2015-4390 (Multiple cross-site request forgery (CSRF) vulnerabilities in the User ...) NOT-FOR-US: Drupal module User Import CVE-2015-4389 (The Open Graph Importer (og_tag_importer) 7.x-1.x for Drupal does not ...) NOT-FOR-US: Drupal module Open Graph Importer CVE-2015-4388 (Cross-site scripting (XSS) vulnerability in the Current Search Links m ...) NOT-FOR-US: Drupal module Current Search Links CVE-2015-4387 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Drupal module Password Policy CVE-2015-4386 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified adm ...) NOT-FOR-US: Drupal module EntityBulkDelete CVE-2015-4385 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Drupal module Imagefield Info CVE-2015-4384 (Cross-site scripting (XSS) vulnerability in the Ubercart Webform Check ...) NOT-FOR-US: Drupal module Ubercart Webform Checkout Pane CVE-2015-4383 (Cross-site request forgery (CSRF) vulnerability in the Decisions modul ...) NOT-FOR-US: Drupal module Decisions CVE-2015-4382 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Invo ...) NOT-FOR-US: Drupal module Invoice CVE-2015-4381 (Cross-site scripting (XSS) vulnerability in the Invoice module 6.x-1.x ...) NOT-FOR-US: Drupal module Invoice CVE-2015-4380 (Cross-site scripting (XSS) vulnerability in the Linear Case module 6.x ...) NOT-FOR-US: Drupal module Linear Case CVE-2015-4379 (Cross-site request forgery (CSRF) vulnerability in the Webform Multipl ...) NOT-FOR-US: Drupal module Webform Multiple File Upload CVE-2015-4378 (Cross-site scripting (XSS) vulnerability in the Crumbs module 7.x-2.x ...) NOT-FOR-US: Drupal module Crumbs CVE-2015-4377 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Drupal module Petition CVE-2015-4376 (Cross-site scripting (XSS) vulnerability in the Profile2 Privacy modul ...) NOT-FOR-US: Drupal module Profile2 Privacy CVE-2015-4375 (The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal ...) NOT-FOR-US: Drupal module Chaos tool suite CVE-2015-4374 (Cross-site scripting (XSS) vulnerability in the Webform module before ...) NOT-FOR-US: Webform module for Drupal CVE-2015-4373 (Cross-site scripting (XSS) vulnerability in the OG tabs module before ...) NOT-FOR-US: Drupal module OG tabs CVE-2015-4372 (Cross-site scripting (XSS) vulnerability in the Image Title module bef ...) NOT-FOR-US: Drupal module Image Title CVE-2015-4371 (Open redirect vulnerability in the Perfecto module before 7.x-1.2 for ...) NOT-FOR-US: Drupal module Perfecto CVE-2015-4370 (Cross-site scripting (XSS) vulnerability in the Site Documentation mod ...) NOT-FOR-US: Drupal module Site Documentation CVE-2015-4369 (Cross-site scripting (XSS) vulnerability in the Trick Question module ...) NOT-FOR-US: Drupal module Trick Question CVE-2015-4368 (The Commerce Ogone module 7.x-1.x before 7.x-1.5 for Drupal allows rem ...) NOT-FOR-US: Drupal module Commerce Ogone CVE-2015-4367 (Cross-site scripting (XSS) vulnerability in the Simple Subscription mo ...) NOT-FOR-US: Drupal module Simple Subscription CVE-2015-4366 (Cross-site scripting (XSS) vulnerability in the Mover module 6.x-1.0 f ...) NOT-FOR-US: Drupal module Mover CVE-2015-4365 (Cross-site scripting (XSS) vulnerability in the Taxonomy Accordion mod ...) NOT-FOR-US: Drupal module Taxonomy Accordion CVE-2015-4364 (Multiple cross-site request forgery (CSRF) vulnerabilities in includes ...) NOT-FOR-US: Drupal module Campaign Monitor CVE-2015-4363 (Open redirect vulnerability in the finder_form_goto function in the Fi ...) NOT-FOR-US: Drupal module Finder CVE-2015-4362 (Cross-site request forgery (CSRF) vulnerability in tracking_code.admin ...) NOT-FOR-US: Drupal module Tracking Code CVE-2015-4361 (Cross-site request forgery (CSRF) vulnerability in the Registration co ...) NOT-FOR-US: Drupal Module Registration codes CVE-2015-4360 (Cross-site request forgery (CSRF) vulnerability in the Registration co ...) NOT-FOR-US: Drupal Module Registration codes CVE-2015-4359 (Multiple cross-site scripting (XSS) vulnerabilities in the Registratio ...) NOT-FOR-US: Drupal Module Registration codes CVE-2015-4358 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Drupal module Ubercart Display Coupons CVE-2015-4357 (Cross-site scripting (XSS) vulnerability in the Webform module before ...) NOT-FOR-US: Drupal module Webform CVE-2015-4356 (Cross-site scripting (XSS) vulnerability in the view-based webform res ...) NOT-FOR-US: Drupal module Webform CVE-2015-4355 (Cross-site request forgery (CSRF) vulnerability in the Watchdog Aggreg ...) NOT-FOR-US: Drupal module Watchdog Aggregator CVE-2015-4354 (Cross-site scripting (XSS) vulnerability in the Ubercart Webform Integ ...) NOT-FOR-US: Drupal module Ubercart Webform Integration CVE-2015-4353 (Cross-site request forgery (CSRF) vulnerability in the Custom Sitemap ...) NOT-FOR-US: Drupal module Custom Sitemap CVE-2015-4352 (Cross-site request forgery (CSRF) vulnerability in the Spider Video Pl ...) NOT-FOR-US: Drupal module Spider Video Player CVE-2015-4351 (The Spider Video Player module for Drupal allows remote authenticated ...) NOT-FOR-US: Drupal module Spider Video Player CVE-2015-4350 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Spid ...) NOT-FOR-US: Drupal Module Spider Catalog CVE-2015-4349 (Cross-site request forgery (CSRF) vulnerability in the Spider Contacts ...) NOT-FOR-US: Drupal Module Spider Catalog CVE-2015-4348 (SQL injection vulnerability in the Spider Contacts module for Drupal a ...) NOT-FOR-US: Drupal module Spider Contacts CVE-2015-4347 (Cross-site scripting (XSS) vulnerability in the inLinks Integration mo ...) NOT-FOR-US: Drupal module inLinks Integration CVE-2015-4346 (Cross-site scripting (XSS) vulnerability in the SMS Framework module 6 ...) NOT-FOR-US: Drupal module SMS Framework CVE-2015-4345 (The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x ...) NOT-FOR-US: Drupal module RESTful Web Services CVE-2015-4344 (The Services Basic Authentication module 7.x-1.x through 7.x-1.3 for D ...) NOT-FOR-US: Drupal module Services Basic Authentication CVE-2015-4343 RESERVED CVE-2015-4342 (SQL injection vulnerability in Cacti before 0.8.8d allows remote attac ...) {DSA-3295-1 DLA-255-1} - cacti 0.8.8d+ds1-1 NOTE: Original report: http://seclists.org/fulldisclosure/2015/Jun/19 NOTE: Upstream bug: http://bugs.cacti.net/view.php?id=2571 (not yet accessible) NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7719 NOTE: Fixed upstream in 0.8.8d CVE-2015-4341 RESERVED CVE-2015-4340 RESERVED CVE-2015-4339 RESERVED CVE-2015-4334 (The default configuration of SGOS in Blue Coat ProxySG before 6.2.16.5 ...) NOT-FOR-US: Blue Coat ProxySG CVE-2015-4333 RESERVED CVE-2015-4332 RESERVED CVE-2015-4331 (Cisco Prime Infrastructure (PI) 1.4(0.45) and earlier, when AAA authen ...) NOT-FOR-US: Cisco Prime Infrastructure CVE-2015-4330 (A local file script in Cisco TelePresence Video Communication Server ( ...) NOT-FOR-US: Cisco CVE-2015-4329 (The administrator web interface in Cisco TelePresence Video Communicat ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-4328 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-4327 (The CLI in Cisco TelePresence Video Communication Server (VCS) Express ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-4326 RESERVED CVE-2015-4325 (The process-management implementation in Cisco TelePresence Video Comm ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-4324 (Buffer overflow in Cisco NX-OS on Nexus 1000V devices for VMware vSphe ...) NOT-FOR-US: Cisco CVE-2015-4323 (Buffer overflow in Cisco NX-OS on Nexus 1000V devices for VMware vSphe ...) NOT-FOR-US: Cisco CVE-2015-4322 (Cisco Content Security Management Appliance (SMA) 8.3.6-039, 9.1.0-31, ...) NOT-FOR-US: Cisco CVE-2015-4321 (The Unicast Reverse Path Forwarding (uRPF) implementation in Cisco Ada ...) NOT-FOR-US: Cisco CVE-2015-4320 (The Configuration Log File component in Cisco TelePresence Video Commu ...) NOT-FOR-US: Cisco CVE-2015-4319 (The password-change feature in the administrative web interface in Cis ...) NOT-FOR-US: Cisco CVE-2015-4318 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 ...) NOT-FOR-US: Cisco CVE-2015-4317 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 ...) NOT-FOR-US: Cisco CVE-2015-4316 (The Mobile and Remote Access (MRA) endpoint-validation feature in Cisc ...) NOT-FOR-US: Cisco CVE-2015-4315 (The Call Policy Configuration page in Cisco TelePresence Video Communi ...) NOT-FOR-US: Cisco CVE-2015-4314 (The System Snapshot feature in Cisco TelePresence Video Communication ...) NOT-FOR-US: Cisco CVE-2015-4313 RESERVED CVE-2015-4312 RESERVED CVE-2015-4311 RESERVED CVE-2015-4310 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse 1 ...) NOT-FOR-US: Cisco CVE-2015-4309 RESERVED CVE-2015-4308 (The webGUI configuration-export feature in Cisco Edge Bluebird Operati ...) NOT-FOR-US: Cisco CVE-2015-4307 (The web framework in Cisco Prime Collaboration Provisioning before 11. ...) NOT-FOR-US: Cisco Prime Collaboration Provisioning CVE-2015-4306 (The web framework in Cisco Prime Collaboration Assurance before 10.5.1 ...) NOT-FOR-US: Cisco Prime Collaboration Assurance CVE-2015-4305 (The web framework in Cisco Prime Collaboration Assurance before 10.5.1 ...) NOT-FOR-US: Cisco Prime Collaboration Assurance CVE-2015-4304 (The web framework in Cisco Prime Collaboration Assurance before 10.5.1 ...) NOT-FOR-US: Cisco Prime Collaboration Assurance CVE-2015-4303 (Cisco TelePresence Video Communication Server (VCS) X8.5.2 allows remo ...) NOT-FOR-US: Cisco CVE-2015-4302 (The web interface in Cisco FireSIGHT Management Center 5.3.1.4 allows ...) NOT-FOR-US: Cisco CVE-2015-4301 (Cisco NX-OS on Nexus 9000 devices 11.1(1c) allows remote authenticated ...) NOT-FOR-US: Cisco CVE-2015-4300 REJECTED CVE-2015-4299 (Cisco Unified Web and E-Mail Interaction Manager 9.0(2) improperly per ...) NOT-FOR-US: Cisco CVE-2015-4298 (Cisco Unified Web and E-Mail Interaction Manager 9.0(2) and 11.0(1) im ...) NOT-FOR-US: Cisco CVE-2015-4297 (Open redirect vulnerability in Cisco WebEx Node for Media Convergence ...) NOT-FOR-US: Cisco CVE-2015-4296 (Nexus Data Broker (NDB) on Cisco Nexus 3000 devices with software 6.0( ...) NOT-FOR-US: Cisco CVE-2015-4295 (The Prime Collaboration Deployment component in Cisco Unified Communic ...) NOT-FOR-US: Cisco CVE-2015-4294 (Cross-site scripting (XSS) vulnerability in Cisco IM and Presence Serv ...) NOT-FOR-US: Cisco CVE-2015-4293 (The packet-reassembly implementation in Cisco IOS XE 3.13S and earlier ...) NOT-FOR-US: Cisco CVE-2015-4292 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Cisco CVE-2015-4291 (Cisco IOS XE 2.x before 2.4.3 and 2.5.x before 2.5.1 on ASR 1000 devic ...) NOT-FOR-US: Cisco CVE-2015-4290 (The kernel extension in Cisco AnyConnect Secure Mobility Client 4.0(20 ...) NOT-FOR-US: Cisco CVE-2015-4289 (Directory traversal vulnerability in Cisco AnyConnect Secure Mobility ...) NOT-FOR-US: Cisco CVE-2015-4288 (The LDAP implementation on the Cisco Web Security Appliance (WSA) 8.5. ...) NOT-FOR-US: Cisco CVE-2015-4287 (Cisco Firepower Extensible Operating System 1.1(1.86) on Firepower 900 ...) NOT-FOR-US: Cisco CVE-2015-4286 (The web framework in Cisco UCS Central Software 1.3(0.99) allows remot ...) NOT-FOR-US: Cisco CVE-2015-4285 (The Local Packet Transport Services (LPTS) implementation in Cisco IOS ...) NOT-FOR-US: Cisco CVE-2015-4284 (The Concurrent Data Management Replication process in Cisco IOS XR 5.3 ...) NOT-FOR-US: Cisco CVE-2015-4283 (Cisco Videoscape Policy Resource Manager (PRM) 3.5.4 allows remote att ...) NOT-FOR-US: Cisco CVE-2015-4282 (Cisco Mobility Services Engine (MSE) through 8.0.120.7 uses weak permi ...) NOT-FOR-US: Cisco CVE-2015-4281 (Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meeting ...) NOT-FOR-US: Cisco CVE-2015-4280 (Cisco Prime Collaboration Assurance 10.0 allows remote attackers to ca ...) NOT-FOR-US: Cisco CVE-2015-4279 (The Manager component in Cisco Unified Computing System (UCS) 2.2(3b) ...) NOT-FOR-US: Cisco CVE-2015-4278 (Cisco Email Security Appliance (ESA) devices with software 8.5.6-106 a ...) NOT-FOR-US: Cisco CVE-2015-4277 (The global-configuration implementation on Cisco ASR 9000 devices with ...) NOT-FOR-US: Cisco CVE-2015-4276 (Cisco WebEx Meetings Server 2.5MR1 allows remote authenticated users t ...) NOT-FOR-US: Cisco CVE-2015-4275 (The Packet Data Network Gateway (aka PGW) component on Cisco ASR 5000 ...) NOT-FOR-US: Cisco CVE-2015-4274 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco CVE-2015-4273 (The Packet Data Network Gateway (aka PGW) component on Cisco ASR 5000 ...) NOT-FOR-US: Cisco CVE-2015-4272 (Multiple cross-site scripting (XSS) vulnerabilities in the ccmivr page ...) NOT-FOR-US: Cisco CVE-2015-4271 (Cisco TelePresence TC before 7.3.4 on Integrator C devices allows remo ...) NOT-FOR-US: Cisco CVE-2015-4270 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSIGHT ...) NOT-FOR-US: Cisco CVE-2015-4269 (The Tomcat throttling feature in Cisco Unified Communications Manager ...) NOT-FOR-US: Cisco CVE-2015-4268 (Multiple cross-site scripting (XSS) vulnerabilities in the Infra Admin ...) NOT-FOR-US: Cisco CVE-2015-4267 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco CVE-2015-4266 (The web interface in Cisco Identity Services Engine (ISE) 1.1(4.1), 1. ...) NOT-FOR-US: Cisco CVE-2015-4265 (Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x bef ...) NOT-FOR-US: Cisco Unified Computing System CVE-2015-4264 RESERVED CVE-2015-4263 (The Control and Provisioning functionality in Cisco Mobility Services ...) NOT-FOR-US: Cisco CVE-2015-4262 (The password-change feature in Cisco Unified MeetingPlace Web Conferen ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-4261 REJECTED CVE-2015-4260 (Cross-site scripting (XSS) vulnerability in Cisco Hosted Collaboration ...) NOT-FOR-US: Cisco CVE-2015-4259 (The Integrated Management Controller on Cisco Unified Computing System ...) NOT-FOR-US: Cisco CVE-2015-4258 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4257 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4256 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4255 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4254 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4253 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4252 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4251 REJECTED CVE-2015-4250 REJECTED CVE-2015-4249 REJECTED CVE-2015-4248 REJECTED CVE-2015-4247 REJECTED CVE-2015-4246 REJECTED CVE-2015-4245 REJECTED CVE-2015-4244 (The boot implementation on Cisco ASR 5000 and 5500 devices with softwa ...) NOT-FOR-US: Cisco CVE-2015-4243 (The PPPoE establishment implementation in Cisco IOS XE 3.5.0S on ASR 1 ...) NOT-FOR-US: Cisco CVE-2015-4242 (Cross-site request forgery (CSRF) vulnerability in Cisco FireSIGHT Sys ...) NOT-FOR-US: Cisco CVE-2015-4241 (Cisco Adaptive Security Appliance (ASA) Software 9.3(2) allows remote ...) NOT-FOR-US: Cisco CVE-2015-4240 (Cisco IP Communicator 8.6(4) allows remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2015-4239 (Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13 ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-4238 (The SNMP implementation in Cisco Adaptive Security Appliance (ASA) Sof ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-4237 (The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ ...) NOT-FOR-US: Cisco NX-OS CVE-2015-4236 (Cisco AsyncOS on Email Security Appliance (ESA) devices with software ...) NOT-FOR-US: Cisco CVE-2015-4235 (Cisco Application Policy Infrastructure Controller (APIC) devices with ...) NOT-FOR-US: Cisco Application Policy Infrastructure Controller CVE-2015-4234 (Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS conf ...) NOT-FOR-US: Cisco NX-OS CVE-2015-4233 (SQL injection vulnerability in Cisco Unified MeetingPlace 8.6(1.2) all ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-4232 (Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users t ...) NOT-FOR-US: Cisco NX-OS CVE-2015-4231 (The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices al ...) NOT-FOR-US: Cisco NX-OS CVE-2015-4230 (Memory leak in Cisco Headend System Release allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-4229 (The web framework in Cisco Unified Communications Domain Manager 8.1(4 ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2015-4228 (Cisco Digital Content Manager (DCM) 15.0.0 might allow remote ad serve ...) NOT-FOR-US: Cisco Digital Content Manager CVE-2015-4227 (Memory leak in Cisco Headend System Release allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-4226 (The packet-storing feature on Cisco 9900 phones with firmware 9.3(2) d ...) NOT-FOR-US: Cisco CVE-2015-4225 (Cisco Application Policy Infrastructure Controller (APIC) 1.0(1.110a) ...) NOT-FOR-US: Cisco CVE-2015-4224 (Cisco Wireless LAN Controller (WLC) devices with software 7.0(240.0) a ...) NOT-FOR-US: Cisco CVE-2015-4223 (Cisco IOS XR 5.1.3 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Cisco CVE-2015-4222 (SQL injection vulnerability in Cisco Unified Communications Manager IM ...) NOT-FOR-US: Cisco CVE-2015-4221 (Cisco Unified Communications Manager IM and Presence Service 9.1(1) do ...) NOT-FOR-US: Cisco CVE-2015-4220 (Cross-site scripting (XSS) vulnerability in Cisco Unified Presence Ser ...) NOT-FOR-US: Cisco CVE-2015-4219 (Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5 ...) NOT-FOR-US: Cisco CVE-2015-4218 (The web-based user interface in Cisco Jabber through 9.6(3) and 9.7 th ...) NOT-FOR-US: Cisco Jabber CVE-2015-4217 (The remote-support feature on Cisco Web Security Virtual Appliance (WS ...) NOT-FOR-US: Cisco CVE-2015-4216 (The remote-support feature on Cisco Web Security Virtual Appliance (WS ...) NOT-FOR-US: Cisco CVE-2015-4215 (Cisco Wireless LAN Controller (WLC) devices with software 7.5(102.0) a ...) NOT-FOR-US: Cisco CVE-2015-4214 (Cisco Unified MeetingPlace 8.6(1.2) and 8.6(1.9) allows remote authent ...) NOT-FOR-US: Cisco CVE-2015-4213 (Cisco NX-OS 1.1(1g) on Nexus 9000 devices allows remote authenticated ...) NOT-FOR-US: Cisco CVE-2015-4212 (Cisco WebEx Meeting Center allows remote attackers to obtain sensitive ...) NOT-FOR-US: Cisco CVE-2015-4211 (Cisco AnyConnect Secure Mobility Client 3.1(60) on Windows does not pr ...) NOT-FOR-US: Cisco CVE-2015-4210 (Cross-site scripting (XSS) vulnerability in Cisco WebEx Meeting Center ...) NOT-FOR-US: Cisco CVE-2015-4209 (Cisco WebEx Meeting Center does not properly determine authorization f ...) NOT-FOR-US: Cisco CVE-2015-4208 (Cisco WebEx Meeting Center does not properly restrict the content of U ...) NOT-FOR-US: Cisco CVE-2015-4207 (Cisco WebEx Meeting Center places a meeting's access number in a URL, ...) NOT-FOR-US: Cisco CVE-2015-4206 (Cisco Unified Communications Manager (UCM) 8.0 through 8.6 allows remo ...) NOT-FOR-US: Cisco CVE-2015-4205 (Cisco IOS XR 5.3.1 on ASR 9000 devices allows remote attackers to caus ...) NOT-FOR-US: Cisco CVE-2015-4204 (Memory leak in Cisco IOS 12.2 in the Performance Routing Engine (PRE) ...) NOT-FOR-US: Cisco CVE-2015-4203 (Race condition in Cisco IOS 12.2SCH in the Performance Routing Engine ...) NOT-FOR-US: Cisco CVE-2015-4202 (Cisco IOS 12.2SCH on uBR10000 router Cable Modem Termination Systems ( ...) NOT-FOR-US: Cisco CVE-2015-4201 (The Gateway General Packet Radio Service Support Node (GGSN) component ...) NOT-FOR-US: Cisco CVE-2015-4200 (Memory leak in the IPv6-to-IPv4 functionality in Cisco IOS 15.3S in th ...) NOT-FOR-US: Cisco IOS CVE-2015-4199 (Race condition in the IPv6-to-IPv4 functionality in Cisco IOS 15.3S in ...) NOT-FOR-US: Cisco CVE-2015-4198 (Cross-site scripting (XSS) vulnerability in the web framework on Cisco ...) NOT-FOR-US: Cisco CVE-2015-4197 (Cisco NX-OS 5.2(5) on Nexus 7000 devices allows remote attackers to ca ...) NOT-FOR-US: Cisco CVE-2015-4196 (Platform Software before 4.4.5 in Cisco Unified Communications Domain ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2015-4195 (Cisco IOS XR 5.1.1.K9SEC allows remote authenticated users to cause a ...) NOT-FOR-US: Cisco CVE-2015-4194 (The web-based administrative interface in Cisco WebEx Meeting Center p ...) NOT-FOR-US: Cisco CVE-2015-4193 RESERVED CVE-2015-4192 RESERVED CVE-2015-4191 (Cisco IOS XR 5.2.1 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Cisco CVE-2015-4190 (Cisco Cloud Portal in Cisco Prime Service Catalog 9.4.1_vortex on Clou ...) NOT-FOR-US: Cisco CVE-2015-4189 (Cross-site request forgery (CSRF) vulnerability in Cisco Data Center A ...) NOT-FOR-US: Cisco CVE-2015-4188 (SQL injection vulnerability in the Manager interface in Cisco Prime Co ...) NOT-FOR-US: Cisco CVE-2015-4187 RESERVED CVE-2015-4186 (The diagnostics subsystem in the administrative web interface on Cisco ...) NOT-FOR-US: Cisco CVE-2015-4185 (The TCL interpreter in Cisco IOS 15.2 does not properly maintain the v ...) NOT-FOR-US: Cisco IOS CVE-2015-4184 (The anti-spam scanner on Cisco Email Security Appliance (ESA) devices ...) NOT-FOR-US: Cisco Email Security Appliance CVE-2015-4183 (Cisco UCS Central Software 1.2(1a) allows local users to gain privileg ...) NOT-FOR-US: Cisco CVE-2015-4182 (The administrative web interface in Cisco Identity Services Engine (IS ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2015-4181 (Directory traversal vulnerability in get_file.php in phpMyBackupPro 2. ...) NOT-FOR-US: phpMyBackupPro CVE-2015-4180 (Directory traversal vulnerability in get_file.php in phpMyBackupPro 2. ...) NOT-FOR-US: phpMyBackupPro CVE-2015-4175 RESERVED CVE-2015-4174 (Cross-site scripting (XSS) vulnerability in the integrated web server ...) NOT-FOR-US: Siemens Climatix BACnet/IP communication module CVE-2015-4173 (Unquoted Windows search path vulnerability in the autorun value in Del ...) NOT-FOR-US: Dell SonicWall NetExtender CVE-2015-4692 (The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux ...) - linux 4.0.8-1 [jessie] - linux 3.16.7-ckt11-1+deb8u3 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2015/06/10/6 NOTE: Vulnerable function introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=66450a21f99636af4fafac2afd33f1a40631bc3a (v3.10-rc1) CVE-2015-4625 (Integer overflow in the authentication_agent_new_cookie function in Po ...) [experimental] - policykit-1 0.113-1 - policykit-1 0.105-12 (low; bug #796134) [jessie] - policykit-1 0.105-15~deb8u1 [wheezy] - policykit-1 (Minor issue) [squeeze] - policykit-1 (Minor issue) NOTE: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000419.html NOTE: http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=90837 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=90832 NOTE: https://www.openwall.com/lists/oss-security/2015/06/08/3 NOTE: http://cgit.freedesktop.org/polkit/commit/?id=ea544ffc18405237ccd95d28d7f45afef49aca17 NOTE: http://cgit.freedesktop.org/polkit/commit/?id=493aa5dc1d278ab9097110c1262f5229bbaf1766 NOTE: http://cgit.freedesktop.org/polkit/commit/?id=fb5076b7c05d01a532d593a4079a29cf2d63a228 CVE-2015-4412 (BSON injection vulnerability in the legal? function in BSON (bson-ruby ...) - ruby-bson (corresponding change in ruby-bson not present) NOTE: Originating from https://github.com/mongodb/bson-ruby/commit/21141c78d99f23d5f34d32010557ef19d0f77203#diff-8c8558c185bbb548ccb5a6d6ac4bfee5L219 CVE-2015-4411 (The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0 ...) - ruby-bson (corresponding change in ruby-bson not present) NOTE: https://github.com/mongoid/moped/commit/dd5a7c14b5d2e466f7875d079af71ad19774609b#diff-3b93602f64c2fe46d38efd9f73ef5358R24 CVE-2015-4410 (The Moped::BSON::ObjecId.legal? method in rubygem-moped before commit ...) - ruby-bson 1.10.0-2 (bug #787951) [jessie] - ruby-bson 1.10.0-1+deb8u1 NOTE: "original" implementation of legal? using ^[0-9a-f]{24}$ regular expression NOTE: Fix: https://github.com/mongodb/mongo-ruby-driver/commit/bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade (1.x-stable) NOTE: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html NOTE: https://sources.debian.org/src/ruby-bson/1.10.0-1/lib/bson/types/object_id.rb/#L54 NOTE: https://www.openwall.com/lists/oss-security/2015/06/06/1 CVE-2015-4338 (Static code injection vulnerability in the XCloner plugin 3.1.2 for Wo ...) NOT-FOR-US: WordPress plugin xclonerbackupandrestore CVE-2015-4337 (Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 f ...) NOT-FOR-US: WordPress plugin xclonerbackupandrestore CVE-2015-4336 (cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows ...) NOT-FOR-US: WordPress plugin xclonerbackupandrestore CVE-2015-4335 (Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to ex ...) {DSA-3279-1} - redis 2:3.0.2-1 [wheezy] - redis (Lua support introduced in version 2.6.0) [squeeze] - redis (Lua support introduced in version 2.6.0) NOTE: http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ NOTE: Patch: https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 NOTE: https://www.openwall.com/lists/oss-security/2015/06/05/3 CVE-2015-XXXX [Null pointer access in inflatehd tool] - nghttp2 (unimportant) NOTE: Upstream report: https://github.com/tatsuhiro-t/nghttp2/issues/235 NOTE: Git commit: https://github.com/tatsuhiro-t/nghttp2/commit/3572e7c6343cb85fc21f5667a7ed0902cf5305cf NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/06/03/20 NOTE: inflatehd not installed into the Debian binary packages CVE-2015-5523 (The ParseValue function in lexer.c in tidy before 4.9.31 allows remote ...) {DSA-3309-1 DLA-273-1} - tidy 20091223cvs-1.5 (bug #792571) NOTE: https://github.com/htacg/tidy-html5/issues/217#issuecomment-108565501 NOTE: https://www.openwall.com/lists/oss-security/2015/06/04/2 CVE-2015-5522 (Heap-based buffer overflow in the ParseValue function in lexer.c in ti ...) {DSA-3309-1 DLA-273-1} - tidy 20091223cvs-1.5 (bug #792571) NOTE: https://github.com/htacg/tidy-html5/issues/217 NOTE: https://www.openwall.com/lists/oss-security/2015/06/04/2 CVE-2015-6593 REJECTED CVE-2015-4179 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Code ...) NOT-FOR-US: WordPress plugin codestyling-localization CVE-2015-4176 (fs/namespace.c in the Linux kernel before 4.0.2 does not properly supp ...) - linux (Introducing commit was applied to 4.0.2 but e0c9c0afd2fc958ffa34b697972721d81df8a56f as well backported into 4.0.2) - linux-2.6 (Introduced and fixed in 4.1-rc1 upstream) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e0c9c0afd2fc958ffa34b697972721d81df8a56f (v4.1-rc1) CVE-2015-4172 RESERVED CVE-2015-4171 (strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client be ...) {DSA-3282-1 DLA-244-1} - strongswan 5.3.1-1 NOTE: https://www.strongswan.org/blog/2015/06/08/strongswan-vulnerability-(cve-2015-4171).html CVE-2015-4169 RESERVED CVE-2015-4168 RESERVED CVE-2015-4166 (Cloudera Key Trustee Server before 5.4.3 does not store keys synchrono ...) NOT-FOR-US: Cloudera CVE-2015-4165 (The snapshot API in Elasticsearch before 1.6.0 when another applicatio ...) - elasticsearch 1.6.0+dfsg-1 (bug #788471) [jessie] - elasticsearch (No longer supported, see DSA 3389) NOTE: https://github.com/elastic/elasticsearch/issues/11068 NOTE: https://github.com/elastic/elasticsearch/pull/11284 NOTE: https://github.com/imotov/elasticsearch/commit/f5cfb2a1869d1a52930cbd3138278a6e2c1b22e6 CVE-2015-4164 (The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way ...) {DSA-3286-1} - xen 4.6.0-1 (bug #795721) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-136.html CVE-2015-4163 (GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the gran ...) {DSA-3286-1} - xen 4.6.0-1 (bug #795721) [wheezy] - xen (Xen 4.2 onwards are vulnerable) [squeeze] - xen (Xen 4.2 onwards are vulnerable) NOTE: http://xenbits.xen.org/xsa/advisory-134.html CVE-2015-4162 (XML external entity (XXE) vulnerability in the management interface in ...) NOT-FOR-US: PAN-OS CVE-2015-4161 (SAP Afaria does not properly restrict access to unspecified functional ...) NOT-FOR-US: SAP Afaria CVE-2015-4160 (SQL injection vulnerability in SAP ASE Database Platform allows remote ...) NOT-FOR-US: SAP ASE Database Platform CVE-2015-4159 (SQL injection vulnerability in SAP HANA Web-based Development Workbenc ...) NOT-FOR-US: SAP HANA CVE-2015-4158 (SAP ABAP & Java Server allows remote attackers to cause a denial o ...) NOT-FOR-US: SAP ABAP & Java Server CVE-2015-4157 (SAP Content Server allows remote attackers to cause a denial of servic ...) NOT-FOR-US: SAP Content Server CVE-2015-4156 (GNU Parallel before 20150522 (Nepal), when using (1) --cat or (2) --fi ...) - parallel 20161222-1 (unimportant; bug #787954) NOTE: https://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html NOTE: https://lists.gnu.org/archive/html/parallel/2015-05/msg00024.html NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-4155 (GNU Parallel before 20150422, when using (1) --pipe, (2) --tmux, (3) - ...) - parallel 20161222-1 (unimportant; bug #787954) NOTE: https://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-4154 RESERVED CVE-2015-4153 (Directory traversal vulnerability in the zM Ajax Login & Register ...) NOT-FOR-US: WordPress plugin zm-ajax-login-register CVE-2015-4152 (Directory traversal vulnerability in the file output plugin in Elastic ...) - logstash (bug #664841) CVE-2015-4151 RESERVED CVE-2015-4150 RESERVED CVE-2015-4149 RESERVED CVE-2015-4138 (The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV180 ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-4137 (SQL injection vulnerability in related.php in Milw0rm Clone Script 1.0 ...) NOT-FOR-US: Milw0rm Clone Script CVE-2015-4136 RESERVED CVE-2015-5366 (The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kerne ...) {DSA-3313-1 DLA-310-1} - linux 4.0.7-1 [wheezy] - linux 3.2.68-1+deb7u3 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0 (v4.1-rc7) NOTE: http://web.archive.org/web/20160309082241/https://twitter.com/grsecurity/status/605854034260426753 NOTE: https://www.openwall.com/lists/oss-security/2015/06/30/13 CVE-2015-5364 (The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kerne ...) {DSA-3313-1 DLA-310-1} - linux 4.0.7-1 [wheezy] - linux 3.2.68-1+deb7u3 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0 (v4.1-rc7) NOTE: http://web.archive.org/web/20160309082241/https://twitter.com/grsecurity/status/605854034260426753 NOTE: https://www.openwall.com/lists/oss-security/2015/06/30/13 CVE-2015-XXXX [uudecode: stack out of bounds read access] - sharutils (unimportant) NOTE: Negligible security impact NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/06/02/8 CVE-2015-4167 (The udf_read_inode function in fs/udf/inode.c in the Linux kernel befo ...) {DSA-3313-1 DSA-3290-1 DLA-246-1} - linux 4.0.2-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 (v4.0-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/06/02/6 CVE-2015-4140 (Cross-site request forgery (CSRF) vulnerability in the WP Smiley plugi ...) NOT-FOR-US: WordPress plugin wp-smiley CVE-2015-4139 (Cross-site scripting (XSS) vulnerability in smilies4wp.php in the WP S ...) NOT-FOR-US: WordPress plugin wp-smiley CVE-2015-4135 (Cross-site scripting (XSS) vulnerability in goto.php in phpwind 8.7 al ...) NOT-FOR-US: PHPWind CVE-2015-4134 (Open redirect vulnerability in goto.php in phpwind 8.7 allows remote a ...) NOT-FOR-US: PHPWind CVE-2015-4133 (Unrestricted file upload vulnerability in admin/scripts/FileUploader/p ...) NOT-FOR-US: ReFlex Gallery plugin for WordPress CVE-2015-4132 (Multiple cross-site scripting (XSS) vulnerabilities in Aruba Networks ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-4131 RESERVED CVE-2015-4130 [command-injection] RESERVED NOT-FOR-US: NodeJS ungit NOTE: https://github.com/FredrikNoren/ungit/issues/486 NOTE: https://nodesecurity.io/advisories/40 CVE-2015-4129 (SQL injection vulnerability in Subrion CMS before 3.3.3 allows remote ...) NOT-FOR-US: Subrion CMS CVE-2015-4128 RESERVED CVE-2015-4127 (Cross-site scripting (XSS) vulnerability in the church_admin plugin be ...) NOT-FOR-US: church_admin plugin for WordPress CVE-2015-4178 (The fs_pin implementation in the Linux kernel before 4.0.5 does not en ...) - linux (Commit was applied to 4.0.2 as well but fixed in Debian by two subsequent commits) NOTE: Debian both applies "mnt: Fail collect_mounts when applied to unmounted mounts" NOTE: and "fs_pin: Allow for the possibility that m_list or s_list go unused." in NOTE: 4.0.2-1 - linux-2.6 (Introduced and fixed in 4.1-rc1 upstream) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=820f9f147dcce2602eefd9b575bbbd9ea14f0953 (v4.1-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/05/29/5 CVE-2015-4177 (The collect_mounts function in fs/namespace.c in the Linux kernel befo ...) - linux (Commit was applied to 4.0.2 as well but fixed in Debian by two subsequent commits) NOTE: Debian both applies "mnt: Fail collect_mounts when applied to unmounted mounts" NOTE: and "fs_pin: Allow for the possibility that m_list or s_list go unused." in NOTE: 4.0.2-1 - linux-2.6 (Introduced and fixed in 4.1-rc1 upstream) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cd4a40174b71acd021877341684d8bb1dc8ea4ae (v4.1-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/05/29/5 CVE-2015-4126 RESERVED CVE-2015-4125 RESERVED CVE-2015-4124 RESERVED CVE-2015-4123 RESERVED CVE-2015-4122 RESERVED CVE-2015-4121 RESERVED CVE-2015-4120 RESERVED CVE-2015-4119 (Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfi ...) NOT-FOR-US: ISPConfig CVE-2015-4118 (SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig ...) NOT-FOR-US: ISPConfig CVE-2015-4117 (Vesta Control Panel before 0.9.8-14 allows remote authenticated users ...) NOT-FOR-US: Vesta Control Panel CVE-2015-4116 (Use-after-free vulnerability in the spl_ptr_heap_insert function in ex ...) - php5 5.6.11+dfsg-1 (unimportant) [jessie] - php5 5.6.12+dfsg-0+deb8u1 NOTE: https://bugs.php.net/bug.php?id=69737 NOTE: Fixed in 5.6.11, 5.5.27 NOTE: Not treated as security issue, only triggerable with malformed PHP code CVE-2015-4115 RESERVED CVE-2015-4114 RESERVED CVE-2015-4113 RESERVED CVE-2015-4112 (The Management Console in BlackBerry Enterprise Server (BES) 12 before ...) NOT-FOR-US: BlackBerry CVE-2015-4111 (mc_demux_mp4_ds.ax in an unspecified third-party codec demux in BlackB ...) NOT-FOR-US: BlackBerry CVE-2015-4110 RESERVED CVE-2015-4109 (Multiple SQL injection vulnerabilities in the ratings module in the Us ...) NOT-FOR-US: WordPress plugin users-ultra CVE-2015-4108 (Multiple cross-site request forgery (CSRF) vulnerabilities in Wing FTP ...) NOT-FOR-US: Wing FTP Server CVE-2015-4107 REJECTED CVE-2015-4106 (QEMU does not properly restrict write access to the PCI config space f ...) {DSA-3286-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 (bug #787547) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-131.html CVE-2015-4105 (Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through err ...) {DSA-3286-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 (bug #787547) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-130.html CVE-2015-4104 (Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI m ...) {DSA-3286-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 (bug #787547) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-129.html CVE-2015-4103 (Xen 3.3.x through 4.5.x does not properly restrict write access to the ...) {DSA-3286-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 (bug #787547) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-128.html CVE-2015-4102 RESERVED CVE-2015-4101 RESERVED CVE-2015-4100 (Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated use ...) - puppet (Only affects Puppet Enterprise) NOTE: https://puppet.com/security/cve/CVE-2015-4100 CVE-2015-4099 RESERVED CVE-2015-4098 RESERVED CVE-2015-4097 RESERVED CVE-2015-4096 RESERVED CVE-2015-4095 RESERVED CVE-2015-4094 (The Thycotic Password Manager Secret Server application through 2.3 fo ...) NOT-FOR-US: Thycotic Password Manager Secret Server application for iOS CVE-2015-4093 (Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x b ...) - kibana (bug #700337) CVE-2015-4092 (Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 al ...) NOT-FOR-US: SAP Afaria CVE-2015-4091 (XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 a ...) NOT-FOR-US: SAP NetWeaver AS Java CVE-2015-4090 RESERVED CVE-2015-4089 (Multiple cross-site request forgery (CSRF) vulnerabilities in the opti ...) NOT-FOR-US: Wordpress plugin CVE-2015-4088 RESERVED CVE-2015-4087 RESERVED CVE-2015-4086 RESERVED CVE-2015-4084 (Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1. ...) NOT-FOR-US: Free Counter plugin for WordPress CVE-2015-4083 RESERVED CVE-2015-4081 RESERVED CVE-2015-4080 (The Kankun Smart Socket device and mobile application uses a hardcoded ...) NOT-FOR-US: Kankun Smart Socket device and mobile application CVE-2015-4079 RESERVED CVE-2015-4078 (Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include s ...) NOT-FOR-US: Cloudera CVE-2015-4077 (The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4 ...) NOT-FOR-US: Fortinet CVE-2015-4076 RESERVED CVE-2015-4075 (The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attacke ...) NOT-FOR-US: Joomla! plugin CVE-2015-4074 (Directory traversal vulnerability in the Helpdesk Pro plugin before 1. ...) NOT-FOR-US: Joomla! plugin CVE-2015-4073 (Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin befo ...) NOT-FOR-US: Joomla! plugin CVE-2015-4072 (Multiple cross-site scripting (XSS) vulnerabilities in the Helpdesk Pr ...) NOT-FOR-US: Joomla! plugin CVE-2015-4071 (The Helpdesk Pro Plugin before 1.4.0 for Joomla! allows remote attacke ...) NOT-FOR-US: Helpdesk Pro Plugin for Joomla! CVE-2015-4070 (Open redirect vulnerability in the proxyimages function in wowproxy.ph ...) NOT-FOR-US: Wow Moodboard Lite CVE-2015-4069 (The EdgeServiceImpl web service in Arcserve UDP before 5.0 Update 4 al ...) NOT-FOR-US: EdgeServiceImpl web service in Arcserve UDP CVE-2015-4068 (Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 ...) NOT-FOR-US: Arcserve UDP CVE-2015-4067 (Integer overflow in the libnv6 module in Dell NetVault Backup before 1 ...) NOT-FOR-US: Dell NetVault Backup CVE-2015-4066 (Multiple SQL injection vulnerabilities in admin/handlers.php in the Gi ...) NOT-FOR-US: GigPress plugin for WordPress CVE-2015-4061 RESERVED CVE-2015-4060 (Heap-based buffer overflow in the TermProxy (WLTermProxyService.exe) s ...) NOT-FOR-US: Wavelink ConnectPro CVE-2015-4059 (Heap-based buffer overflow in the License Server (LicenseServer.exe) i ...) NOT-FOR-US: Wavelink Terminal Emulation CVE-2015-4058 REJECTED CVE-2015-4057 (The "Plug-in for VMware vCenter" in VCE Vision Intelligent Operations ...) NOT-FOR-US: VCE Vision Intelligent Operations CVE-2015-4056 (The System Library in VCE Vision Intelligent Operations before 2.6.5 d ...) NOT-FOR-US: VCE Vision Intelligent Operations CVE-2015-4055 RESERVED CVE-2015-XXXX [hwclock(8) SUID privilege escalation] [experimental] - util-linux 2.27~rc1-1 - util-linux 2.27-1 (unimportant; bug #786804) NOTE: hwclock is not installed suid in Debian NOTE: https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/26/10 CVE-2015-4082 (attic before 0.15 does not confirm unencrypted backups with the user, ...) - attic 0.16-1 (bug #787435) [jessie] - attic (Minor issue) NOTE: https://github.com/jborg/attic/issues/271 NOTE: https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072 NOTE: https://www.openwall.com/lists/oss-security/2015/05/25/3 CVE-2015-4170 (Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem. ...) - linux 3.13.4-1 [wheezy] - linux (commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 not backported) - linux-2.6 (commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 not backported) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cf872776fc84128bb779ce2b83a37c884c3203ae (v3.13-rc5) NOTE: Affected code was introduced by the rewrite in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4898e640caf03fdbaf2122d5a33949bf3e4a5b34 (v3.11-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/05/26/1 CVE-2015-4065 (Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound- ...) NOT-FOR-US: WordPress plugin landing-pages CVE-2015-4064 (SQL injection vulnerability in modules/module.ab-testing.php in the La ...) NOT-FOR-US: WordPress plugin landing-pages CVE-2015-4063 (Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in ...) NOT-FOR-US: WordPress plugin newstatpress CVE-2015-4062 (SQL injection vulnerability in includes/nsp_search.php in the NewStatP ...) NOT-FOR-US: WordPress plugin newstatpress CVE-2015-4052 RESERVED CVE-2015-4051 (Beckhoff IPC Diagnostics before 1.8 does not properly restrict access ...) NOT-FOR-US: Beckhoff IPC Diagnostics CVE-2015-4050 (FragmentListener in the HttpKernel component in Symfony 2.3.19 through ...) {DSA-3276-1} - symfony 2.7.0~beta2+dfsg-2 NOTE: https://github.com/fabpot/symfony/commit/d320d27699abcea12479cf608908fa91bcc133d4 NOTE: http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access CVE-2015-XXXX [XSS in group administration] - php-horde 5.2.5+debian0-1 (bug #785364) [jessie] - php-horde 5.2.1+debian0-2+deb8u1 NOTE: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220 CVE-2015-4053 (The admin command in ceph-deploy before 1.5.25 uses world-readable per ...) - ceph-deploy (Fixed with initial upload to Debian) NOTE: http://tracker.ceph.com/issues/11694 CVE-2015-4049 (Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with MCP-FI ...) NOT-FOR-US: Unisys Libra CVE-2015-4048 RESERVED CVE-2015-4054 (PgBouncer before 1.5.5 allows remote attackers to cause a denial of se ...) - pgbouncer 1.5.5-1 [jessie] - pgbouncer 1.5.4-6+deb8u1 [wheezy] - pgbouncer 1.5.2-4+deb7u1 [squeeze] - pgbouncer (Minor issue) NOTE: https://github.com/pgbouncer/pgbouncer/commit/edab5be6665b9e8de66c25ba527509b229468573 (master) NOTE: https://github.com/pgbouncer/pgbouncer/commit/74d6e5f7de5ec736f71204b7b422af7380c19ac5 (stable-1.5) NOTE: https://github.com/pgbouncer/pgbouncer/issues/42 NOTE: https://www.openwall.com/lists/oss-security/2015/05/21/2 CVE-2015-8147 REJECTED CVE-2015-8146 REJECTED CVE-2015-4046 (The asset discovery scanner in AlienVault OSSIM before 5.0.1 allows re ...) NOT-FOR-US: AlienVault OSSIM CVE-2015-4045 (The sudoers file in the asset discovery scanner in AlienVault OSSIM be ...) NOT-FOR-US: AlienVault OSSIM CVE-2015-4044 RESERVED CVE-2015-4043 (SQL injection vulnerability in ConnX ESP HR Management 4.4.0 allows re ...) NOT-FOR-US: ConnX ESP CVE-2015-4040 (Directory traversal vulnerability in the configuration utility in F5 B ...) NOT-FOR-US: F5 BIG-IP CVE-2015-4039 (Multiple cross-site scripting (XSS) vulnerabilities in the WP Membersh ...) NOT-FOR-US: WordPress plugin WP Membership CVE-2015-4038 (The WP Membership plugin 1.2.3 for WordPress allows remote authenticat ...) NOT-FOR-US: WordPress plugin WP Membership CVE-2015-4037 (The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier create ...) {DSA-3285-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 [wheezy] - qemu 1.1.2+dfsg-6a+deb7u8 [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=8b8f1c7e9ddb2e88a144638f6527bf70e32343e3 CVE-2015-4034 (The createFromParcel method in the com.absolute.android.persistence.Me ...) NOT-FOR-US: Samsung Galaxy S5 CVE-2015-4033 (Samsung SBeam allows remote attackers to read arbitrary images by leve ...) NOT-FOR-US: Samsung SBeam CVE-2015-4032 (projectContents.jsp in the Developer tools in Visual Mining NetCharts ...) NOT-FOR-US: Visual Mining NetCharts Server CVE-2015-4031 (Directory traversal vulnerability in saveFile.jsp in the development i ...) NOT-FOR-US: Visual Mining NetChart CVE-2015-4030 RESERVED CVE-2015-4029 (Cross-site scripting (XSS) vulnerability in the WebGUI in pfSense befo ...) NOT-FOR-US: pfSense CVE-2015-4028 RESERVED CVE-2015-4027 (The AcuWVSSchedulerv10 service in Acunetix Web Vulnerability Scanner ( ...) NOT-FOR-US: Acunetix Web Vulnerability Scanner CVE-2015-4047 (racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause ...) {DSA-3272-1 DLA-234-1} - ipsec-tools 1:0.8.2+20140711-3 (bug #785778) NOTE: https://www.openwall.com/lists/oss-security/2015/05/20/1 CVE-2015-4023 RESERVED CVE-2015-4020 (RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4 ...) - rubygems (Affects versions between 2.0 and 2.4.6 and incomplete fix not applied) - libgems-ruby (Affects versions between 2.0 and 2.4.6 and incomplete fix not applied) - ruby1.8 (Vulnerable code not present) - ruby1.9.1 (Bundles 1.8.23, vulnerable code introduced in later 1.9.1 versions; incomplete fix not applied) - ruby2.1 (Incomplete fix not applied) - ruby2.2 (Incomplete fix not applied) - jruby (Incomplete fix not applied) NOTE: Original patch https://github.com/rubygems/rubygems/commit/6bbee35 NOTE: introduced another vulnerability, assigned CVE-2015-4020. This CVE NOTE: only applies if only 6bbee35 was applied without 5c7bfb5 NOTE: https://github.com/rubygems/rubygems/commit/5c7bfb5 CVE-2015-4019 RESERVED CVE-2015-4018 (SQL injection vulnerability in feedwordpresssyndicationpage.class.php ...) NOT-FOR-US: FeedWordPress plugin for WordPress CVE-2015-4016 (The client detection protocol in Valve Steam allows remote attackers t ...) NOT-FOR-US: Related to non-free steam package. NOTE: The affected code is believed to be downloaded from Valve on startup. NOTE: http://store.steampowered.com/news/16801/ NOTE: http://www.zerodayinitiative.com/advisories/ZDI-15-233/ CVE-2015-4015 RESERVED CVE-2015-4014 RESERVED CVE-2015-4013 RESERVED CVE-2015-4012 RESERVED CVE-2015-4011 RESERVED CVE-2015-4042 (Integer overflow in the keycompare_mb function in sort.c in sort in GN ...) - coreutils (Debian does not apply coreutils-i18n.patch) NOTE: https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940 NOTE: http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch CVE-2015-4041 (The keycompare_mb function in sort.c in sort in GNU Coreutils through ...) - coreutils (Debian does not apply coreutils-i18n.patch) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=928749 NOTE: https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940 NOTE: http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch CVE-2015-4035 (scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not ...) - xz-utils (Affects 4.999.9beta) NOTE: https://www.openwall.com/lists/oss-security/2015/05/18/7 CVE-2015-4010 (Cross-site request forgery (CSRF) vulnerability in the Encrypted Conta ...) NOT-FOR-US: Encrypted Contact Form plugin for WordPress CVE-2015-4009 RESERVED CVE-2015-4008 RESERVED CVE-2015-4007 RESERVED CVE-2015-4006 RESERVED CVE-2015-4005 RESERVED CVE-2015-4004 (The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untru ...) - linux 4.3-1 (unimportant) NOTE: ozwpan driver not built [wheezy] - linux (ozwpan driver not present) - linux-2.6 (ozwpan driver not present) NOTE: https://lkml.org/lkml/2015/5/13/739 NOTE: Not enabled in Debian kernels; staging drivers are not supported NOTE: Driver was removed in Linux 4.3 CVE-2015-4003 (The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1 ...) - linux 4.1.3-1 (unimportant) NOTE: ozwpan driver not built [wheezy] - linux (ozwpan driver not present) - linux-2.6 (ozwpan driver not present) NOTE: https://lkml.org/lkml/2015/5/13/741 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04bf464a5dfd9ade0dda918e44366c2c61fce80b (v4.1-rc7) NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2015-4002 (drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux k ...) - linux 4.1.3-1 (unimportant) NOTE: ozwpan driver not built [wheezy] - linux (ozwpan driver not present) - linux-2.6 (ozwpan driver not present) NOTE: https://lkml.org/lkml/2015/5/13/740 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d114b9fe78c8d6fc6e70808c2092aa307c36dc8e (v4.1-rc7) NOTE: https://lkml.org/lkml/2015/5/13/742 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9a59029bc218b48eff8b5d4dde5662fd79d3e1a8 (v4.1-rc7) NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2015-4001 (Integer signedness error in the oz_hcd_get_desc_cnf function in driver ...) - linux 4.1.3-1 (unimportant) NOTE: ozwpan driver not built [wheezy] - linux (ozwpan driver not present) - linux-2.6 (ozwpan driver not present) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c (v4.1-rc7) NOTE: https://lkml.org/lkml/2015/5/13/744 NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2015-4000 (The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is ena ...) {DSA-3688-1 DSA-3339-1 DSA-3324-1 DSA-3316-1 DSA-3300-1 DSA-3287-1 DLA-507-1 DLA-303-1 DLA-247-1} - openssl 1.0.2b-1 - nss 2:3.19.1-1 [squeeze] - nss (no point in switching min key size so close to EOL) [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 - icedove 38.1.0-1 NOTE: CVE assigned specific to vulnerability in the TLS protocol that was NOTE: disclosed in section 3.2 of the NOTE: https://weakdh.org/imperfect-forward-secrecy.pdf paper. NOTE: Some links on the status of various implementations/protocols: NOTE: IKE/IPSEC: https://nohats.ca/wordpress/blog/2015/05/20/weakdh-and-ike-ipsec/ NOTE: OpenSSL: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ NOTE: OpenSSL 1.0.2b-1 limits it to 768 bit, future versions will increase the limit NOTE: GNUTLS: http://lists.gnutls.org/pipermail/gnutls-devel/2015-May/007597.html NOTE: NSS/iceweasel/icedove: https://www.mozilla.org/en-US/security/advisories/mfsa2015-70/ NOTE: NSS patch increasing limit to 1023 bits: https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24 CVE-2015-3999 (Piriform CCleaner 3.26.0.1988 through 5.02.5101 writes the filenames t ...) NOT-FOR-US: Piriform CCleaner CVE-2015-3998 (Cross-site scripting (XSS) vulnerability in phpwhois 4.2.5, as used in ...) NOT-FOR-US: phpwhois component of adsense-click-fraud-monitoring wordpress plugin CVE-2015-3997 RESERVED CVE-2015-3996 (The default AFSecurityPolicy.validatesDomainName configuration for AFS ...) - owncloud (iOS-specific) NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-012 CVE-2015-3995 (SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticat ...) NOT-FOR-US: SAP HANA DB CVE-2015-3994 (The grant.xsfunc application in testApps/grantAccess/ in the XS Engine ...) NOT-FOR-US: SAP HANA DB CVE-2015-3993 (Actian Matrix 5.1.x through 5.1.2.4 and 5.2.x through 5.2.0.1 allows r ...) NOT-FOR-US: Actian Matrix CVE-2015-3992 RESERVED CVE-2015-3991 (strongSwan 5.2.2 and 5.3.0 allows remote attackers to cause a denial o ...) - strongswan 5.3.0-2 [jessie] - strongswan (only affects 5.2.2+ and 5.3.0+) [wheezy] - strongswan (only affects 5.2.2+ and 5.3.0+) [squeeze] - strongswan (only affects 5.2.2+ and 5.3.0+) NOTE: http://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-(cve-2015-3991).html CVE-2015-3990 (The GMS ViewPoint (GMSVP) web application in Dell Sonicwall GMS, Analy ...) NOT-FOR-US: Dell CVE-2015-3989 (Multiple cross-site scripting (XSS) vulnerabilities in concrete5 befor ...) NOT-FOR-US: concrete5 CVE-2015-4026 (The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.2 ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68598 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-4025 (PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncat ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69418 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-4024 (Algorithmic complexity vulnerability in the multipart_buffer_headers f ...) {DSA-3280-1} - php5 5.6.9+dfsg-1 [squeeze] - php5 (Too intrusive to backport) NOTE: https://bugs.php.net/bug.php?id=69364 NOTE: https://www.openwall.com/lists/oss-security/2015/05/18/2 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 - hhvm 3.11.0+dfsg-1 NOTE: HHVM fix: https://github.com/facebook/hhvm/commit/6188457bd90ed2f3516e778dca8e91536d91802e CVE-2015-4022 (Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP b ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69545 NOTE: https://www.openwall.com/lists/oss-security/2015/05/18/2 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-4021 (The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41 ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69453 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74 NOTE: https://www.openwall.com/lists/oss-security/2015/05/17/2 and https://www.openwall.com/lists/oss-security/2015/05/18/2 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-3987 (Multiple unquoted Windows search path vulnerabilities in the (1) Clien ...) NOT-FOR-US: McAfee CVE-2015-3986 (Cross-site request forgery (CSRF) vulnerability in the TheCartPress eC ...) NOT-FOR-US: TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress CVE-2015-3985 RESERVED CVE-2015-3984 RESERVED CVE-2015-3983 (The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not include the ...) - pcs (Fixed before initial release to Debian) NOTE: https://github.com/feist/pcs/commit/898204596a779673c88097bbdbe2d7ed6ed0cc8b (0.9.140) CVE-2015-3982 (The session.flush function in the cached_db backend in Django 1.8.x be ...) - python-django (Only affects 1.8 and development branch) NOTE: https://www.djangoproject.com/weblog/2015/may/20/security-release/ CVE-2015-3981 (SAP NetWeaver RFC SDK allows attackers to obtain sensitive information ...) NOT-FOR-US: SAP NetWeaver CVE-2015-3980 (SQL injection vulnerability in the Business Rules Framework (CRM-BF-BR ...) NOT-FOR-US: SAP CRM CVE-2015-3979 (Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) ...) NOT-FOR-US: SAP CRM CVE-2015-3978 (SAP Sybase Unwired Platform Online Data Proxy allows local users to ob ...) NOT-FOR-US: SAP Sybase Unwired Platform Online Data Proxy CVE-2015-3977 (Buffer overflow in Schneider Electric IMT25 Magnetic Flow DTM before 1 ...) NOT-FOR-US: Schneider Electric CVE-2015-3976 (Cross-site scripting (XSS) vulnerability in GE Multilink ML810/3000/31 ...) NOT-FOR-US: GE CVE-2015-3975 REJECTED CVE-2015-3974 (EasyIO EasyIO-30P-SF controllers with firmware before 0.5.21 and 2.x b ...) NOT-FOR-US: EasyIO EasyIO-30P-SF controllers CVE-2015-3973 (Janitza UMG 508, 509, 511, 604, and 605 devices improperly generate se ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3972 (The web interface on Janitza UMG 508, 509, 511, 604, and 605 devices s ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3971 (The debug interface on Janitza UMG 508, 509, 511, 604, and 605 devices ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3970 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3969 (Janitza UMG 508, 509, 511, 604, and 605 devices allow remote attackers ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3968 (The FTP service on Janitza UMG 508, 509, 511, 604, and 605 devices has ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3967 (Cross-site request forgery (CSRF) vulnerability on Janitza UMG 508, 50 ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3966 (The IPsec SA establishment process on Innominate mGuard devices with f ...) NOT-FOR-US: Innominate mGuard CVE-2015-3965 (Hospira Symbiq Infusion System 3.13 and earlier allows remote authenti ...) NOT-FOR-US: Hospira Symbiq Infusion System CVE-2015-3964 (SMA Solar Sunny WebBox has hardcoded passwords, which makes it easier ...) NOT-FOR-US: SMA Solar Sunny WebBox CVE-2015-3963 (Wind River VxWorks before 5.5.1, 6.5.x through 6.7.x before 6.7.1.1, 6 ...) NOT-FOR-US: Wind River VxWorks as used on Schneider Electric devices CVE-2015-3962 (Schneider Electric StruxureWare Building Expert MPM before 2.15 does n ...) NOT-FOR-US: Schneider Electric StruxureWare CVE-2015-3961 (The web-server component in MNS before 4.5.6 on Belden GarrettCom Magn ...) NOT-FOR-US: Belden GarrettCom switches CVE-2015-3960 (The firmware in MNS before 4.5.6 on Belden GarrettCom Magnum 6K and Ma ...) NOT-FOR-US: Belden GarrettCom switches CVE-2015-3959 (The firmware in MNS before 4.5.6 on Belden GarrettCom Magnum 6K and Ma ...) NOT-FOR-US: Belden GarrrettCom switches CVE-2015-3958 (Hospira LifeCare PCA Infusion System 5.0 and earlier, and possibly oth ...) NOT-FOR-US: Hospira LifeCare CVE-2015-3957 (Hospira LifeCare PCA Infusion System before 7.0 stores private keys an ...) NOT-FOR-US: Hospira LifeCare CVE-2015-3956 (Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infus ...) NOT-FOR-US: Hospira CVE-2015-3955 (Stack-based buffer overflow in Hospira LifeCare PCA Infusion System 5. ...) NOT-FOR-US: Hospira LifeCare CVE-2015-3954 (Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infus ...) NOT-FOR-US: Hospira CVE-2015-3953 (Hard-coded accounts may be used to access Hospira Plum A+ Infusion Sys ...) NOT-FOR-US: Hospira CVE-2015-3952 (Wireless keys are stored in plain text on Hospira Plum A+ Infusion Sys ...) NOT-FOR-US: Hospira CVE-2015-3951 (RLE Nova-Wind Turbine HMI devices store cleartext credentials, which a ...) NOT-FOR-US: RLE Nova-Wind Turbines CVE-2015-3950 (Cross-site request forgery (CSRF) vulnerability in XZERES 442SR OS on ...) NOT-FOR-US: XZERES 442SR (wind turbine) CVE-2015-3949 (Sinapsi eSolar Light with firmware before 2.0.3970_schsl_2.2.85 allows ...) NOT-FOR-US: Sinapsi eSolar Light CVE-2015-3948 (Cross-site scripting (XSS) vulnerability in Advantech WebAccess before ...) NOT-FOR-US: Advantech WebAccess CVE-2015-3947 (SQL injection vulnerability in Advantech WebAccess before 8.1 allows r ...) NOT-FOR-US: Advantech WebAccess CVE-2015-3946 (Cross-site request forgery (CSRF) vulnerability in Advantech WebAccess ...) NOT-FOR-US: Advantech WebAccess CVE-2015-3945 REJECTED CVE-2015-3944 REJECTED CVE-2015-3943 (Advantech WebAccess before 8.1 allows remote attackers to read sensiti ...) NOT-FOR-US: Advantech WebAccess CVE-2015-3942 (Multiple cross-site scripting (XSS) vulnerabilities in the web-server ...) NOT-FOR-US: Belden GarrettCom switches CVE-2015-3941 REJECTED CVE-2015-3940 (Untrusted search path vulnerability in Schneider Electric Wonderware S ...) NOT-FOR-US: Schneider Electric CVE-2015-3939 (Directory traversal vulnerability in the NC854 and NC856 modules for I ...) NOT-FOR-US: IDS RTU 850C devices CVE-2015-3938 (The HTTP application on Mitsubishi Electric MELSEC FX3G PLC devices be ...) NOT-FOR-US: Mitsubishi Electric MELSEC devices CVE-2015-3937 RESERVED CVE-2015-3936 RESERVED CVE-2015-3935 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CR ...) - dolibarr 3.5.7+dfsg1-1 (bug #787762) [jessie] - dolibarr 3.5.5+dfsg1-1+deb8u1 NOTE: https://github.com/Dolibarr/dolibarr/issues/2857 NOTE: https://github.com/GPCsolutions/dolibarr/commit/a7f6bbd316e9b96216e9b2c7a065c9251c9a8907 CVE-2015-3934 (Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow rem ...) NOT-FOR-US: Fiyo CMS CVE-2015-3933 (Multiple SQL injection vulnerabilities in inc/lib/User.class.php in Me ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-3932 (Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML ...) NOT-FOR-US: Netlock Mokka CVE-2015-3931 (Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform X ...) NOT-FOR-US: Microsec e-Szigno CVE-2015-3930 RESERVED CVE-2015-3929 RESERVED CVE-2015-3928 RESERVED CVE-2015-3927 RESERVED CVE-2015-3926 RESERVED CVE-2015-3925 RESERVED CVE-2015-3924 RESERVED CVE-2015-3923 (Coppermine Photo Gallery before 1.5.36 allows remote attackers to enum ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2015-3922 (Open redirect vulnerability in mode.php in Coppermine Photo Gallery be ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2015-3921 (Cross-site scripting (XSS) vulnerability in contact.php in Coppermine ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2015-3920 RESERVED CVE-2015-3919 REJECTED CVE-2015-3918 RESERVED CVE-2015-3917 RESERVED CVE-2015-3916 RESERVED CVE-2015-3915 RESERVED CVE-2015-3914 RESERVED CVE-2015-3913 (The IP stack in multiple Huawei Campus series switch models allows rem ...) NOT-FOR-US: Huawei CVE-2015-3912 (Huawei E355s Mobile WiFi with firmware before 22.158.45.02.625 and WEB ...) NOT-FOR-US: Huawei CVE-2015-3911 (Huawei E587 Mobile WiFi with firmware before 11.203.30.00.00 allows re ...) NOT-FOR-US: Huawei CVE-2015-3910 (Multiple unspecified vulnerabilities in Google V8 before 4.3.61.21, as ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2015-3909 RESERVED CVE-2015-3908 (Ansible before 1.9.2 does not verify that the server hostname matches ...) {DLA-1923-1} - ansible 1.9.2+dfsg-1 (low) NOTE: https://www.openwall.com/lists/oss-security/2015/07/14/4 NOTE: Fixed in commit https://github.com/ansible/ansible/commit/be7c59c7bbe2c7cfaad0151c42693ebd0ea4243f CVE-2015-3907 (CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE ...) NOT-FOR-US: CodeIgniter Rest Server CVE-2015-3906 (The logcat_dump_text function in wiretap/logcat.c in the Android Logca ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: http://www.wireshark.org/security/wnpa-sec-2015-18.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11188 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b3b1f7c3aa2233a147294bad833b748d38fba84d CVE-2015-3904 (Multiple cross-site scripting (XSS) vulnerabilities in roomcloud.php i ...) NOT-FOR-US: Roomcloud plugin for WordPress CVE-2015-3901 RESERVED CVE-2015-3900 (RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4 ...) - rubygems (Affects versions between 2.0 and 2.4.6) - libgems-ruby (Affects versions between 2.0 and 2.4.6) - ruby1.8 (Vulnerable code not present) - ruby1.9.1 (Bundles 1.8.23, vulnerable code introduced in later 1.9.1 versions) - ruby2.1 2.1.5-4 (bug #790119) [jessie] - ruby2.1 2.1.5-2+deb8u2 - ruby2.2 2.2.2-3 (bug #790111) - jruby 1.7.20.1-2 [jessie] - jruby (Vulnerable code introduced with 1.7.19) [wheezy] - jruby (Vulnerable code introduced with 1.7.19) [squeeze] - jruby (Vulnerable code introduced with 1.7.19) NOTE: https://github.com/rubygems/rubygems/commit/6bbee35 NOTE: https://github.com/rubygems/rubygems/commit/5c7bfb5 NOTE: http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html CVE-2015-3899 RESERVED CVE-2015-3898 (Multiple open redirect vulnerabilities in Bonita BPM Portal before 6.5 ...) NOT-FOR-US: Bonita BPM Portal CVE-2015-3897 (Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 al ...) NOT-FOR-US: Bonita BPM Portal CVE-2015-3896 RESERVED CVE-2015-3895 RESERVED CVE-2015-3894 RESERVED CVE-2015-3893 RESERVED CVE-2015-3892 RESERVED CVE-2015-3891 RESERVED CVE-2015-3890 (Use-after-free vulnerability in Open Litespeed before 1.3.10. ...) NOT-FOR-US: Open Litespeed CVE-2015-3889 RESERVED CVE-2015-3888 (Jolla Sailfish OS before 1.1.2.16 allows remote attackers to spoof pho ...) NOT-FOR-US: Jolla Sailfish OS CVE-2015-3887 (Untrusted search path vulnerability in ProxyChains-NG before 4.9 allow ...) NOT-FOR-US: proxychains-ng NOTE: proxychains does not contain the vulnerable code CVE-2015-3884 (Unrestricted file upload vulnerability in the (1) myAccount, (2) proje ...) NOT-FOR-US: qdPM CVE-2015-3883 (Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow ...) NOT-FOR-US: qdPM CVE-2015-3882 (qdPM 8.3 allows remote attackers to obtain sensitive information via i ...) NOT-FOR-US: qdPM CVE-2015-3881 (Information disclosure issue in qdPM 8.3 allows remote attackers to ob ...) NOT-FOR-US: qdPM CVE-2015-3879 (Media Player Framework in Android before 5.1.1 LMY48T allows attackers ...) NOT-FOR-US: Media Player Framework in Android CVE-2015-3878 (Media Projection in Android 5.x before 5.1.1 LMY48T and 6.0 before 201 ...) NOT-FOR-US: Media Projection in Android CVE-2015-3877 (Skia, as used in Android before 5.1.1 LMY48T, allows remote attackers ...) NOT-FOR-US: Skia, as used in Android CVE-2015-3876 (libstagefright in Android through 5.1.1 LMY48M allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3875 (libutils in Android before 5.1.1 LMY48T allows remote attackers to exe ...) - android-platform-frameworks-native (unimportant; bug #806375) CVE-2015-3874 (The Sonivox components in Android before 5.1.1 LMY48T allow remote att ...) NOT-FOR-US: The Sonivox components in Android CVE-2015-3873 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3872 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3871 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3870 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3869 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3868 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3867 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3866 RESERVED CVE-2015-3865 (The Runtime subsystem in Android before 5.1.1 LMY48T allows attackers ...) NOT-FOR-US: The Runtime subsystem in Android CVE-2015-3864 (Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4E ...) NOT-FOR-US: libstagefright in mediaserver in Android CVE-2015-3863 (Multiple integer overflows in the Blob class in keystore/keystore.cpp ...) NOT-FOR-US: Keystore in Android CVE-2015-3862 (mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a ...) NOT-FOR-US: mediaserver in Android CVE-2015-3861 (Multiple integer overflows in the addVorbisCodecInfo function in matro ...) NOT-FOR-US: libstagefright in mediaserver in Android CVE-2015-3860 (packages/Keyguard/res/layout/keyguard_password_view.xml in Lockscreen ...) NOT-FOR-US: Lockscreen in Android CVE-2015-3859 RESERVED CVE-2015-3858 (The checkDestination function in internal/telephony/SMSDispatcher.java ...) NOT-FOR-US: Android CVE-2015-3857 RESERVED CVE-2015-3856 RESERVED CVE-2015-3855 RESERVED CVE-2015-3854 (packages/SystemUI/src/com/android/systemui/power/PowerNotificationWarn ...) NOT-FOR-US: Android CVE-2015-3853 RESERVED CVE-2015-3852 RESERVED CVE-2015-3851 RESERVED CVE-2015-3850 RESERVED CVE-2015-3849 (The Region_createFromParcel function in core/jni/android/graphics/Regi ...) NOT-FOR-US: Region in Android CVE-2015-3848 RESERVED CVE-2015-3847 (Bluetooth in Android before 5.1.1 LMY48T allows attackers to remove st ...) NOT-FOR-US: Bluetooth in Android CVE-2015-3846 RESERVED CVE-2015-3845 (The Parcel::appendFrom function in libs/binder/Parcel.cpp in Binder in ...) NOT-FOR-US: Binder in Android CVE-2015-3844 (The getProcessRecordLocked method in services/core/java/com/android/se ...) NOT-FOR-US: ActivityManager in Android CVE-2015-3843 (The SIM Toolkit (STK) framework in Android before 5.1.1 LMY48I allows ...) NOT-FOR-US: SIM Toolkit (STK) framework in Android CVE-2015-3842 (Multiple heap-based buffer overflows in libeffects in the Audio Policy ...) NOT-FOR-US: Android CVE-2015-3841 RESERVED CVE-2015-3840 (The MessageStatusReceiver service in the AndroidManifest.XML in Androi ...) NOT-FOR-US: MessageStatusReceiver in Android CVE-2015-3839 (The updateMessageStatus function in Android 5.1.1 and earlier allows l ...) NOT-FOR-US: Android CVE-2015-3838 RESERVED CVE-2015-3837 (The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certifica ...) NOT-FOR-US: Android CVE-2015-3836 (The Parse_wave function in arm-wt-22k/lib_src/eas_mdls.c in the Sonivo ...) NOT-FOR-US: Sonivox DLS-to-EAS converter in Android CVE-2015-3835 (Buffer overflow in the OMXNodeInstance::emptyBuffer function in omx/OM ...) NOT-FOR-US: libstagefright in Android CVE-2015-3834 (Multiple integer overflows in the BnHDCP::onTransact function in media ...) NOT-FOR-US: libstagefright in Android CVE-2015-3833 (The getRunningAppProcesses function in services/core/java/com/android/ ...) NOT-FOR-US: Android CVE-2015-3832 (Multiple buffer overflows in MPEG4Extractor.cpp in libstagefright in A ...) NOT-FOR-US: libstagefright in Android CVE-2015-3831 (Buffer overflow in the readAt function in BpMediaHTTPConnection in med ...) NOT-FOR-US: mediaserver service in Android CVE-2015-3830 (The stock Android browser address bar in all Android operating systems ...) NOT-FOR-US: Android CVE-2015-3829 (Off-by-one error in the MPEG4Extractor::parseChunk function in MPEG4Ex ...) NOT-FOR-US: libstagefright in Android CVE-2015-3828 (The MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp i ...) NOT-FOR-US: libstagefright in Android CVE-2015-3827 (The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libst ...) NOT-FOR-US: libstagefright in Android CVE-2015-3826 (The MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp i ...) NOT-FOR-US: libstagefright in Android CVE-2015-3825 REJECTED CVE-2015-3824 (The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libst ...) NOT-FOR-US: libstagefright in Android CVE-2015-3823 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3822 RESERVED CVE-2015-3821 RESERVED CVE-2015-3820 RESERVED CVE-2015-3819 RESERVED CVE-2015-3818 RESERVED CVE-2015-3817 RESERVED CVE-2015-3816 RESERVED CVE-2015-3903 (libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x ...) {DSA-3382-1} - phpmyadmin 4:4.4.6.1-1 (unimportant) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2015-3902 (Multiple cross-site request forgery (CSRF) vulnerabilities in the setu ...) {DSA-3382-1 DLA-336-1} - phpmyadmin 4:4.4.6.1-1 (unimportant) CVE-2015-4036 (Array index error in the tcm_vhost_make_tpg function in drivers/vhost/ ...) - linux 3.16.7-ckt9-1 [wheezy] - linux (Vulnerable code not present) - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=59c816c1f24df0204e01851431d3bab3eb76719c (v4.0-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/05/13/4 CVE-2015-3988 (Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashb ...) - horizon 2015.1.0-2 (bug #786741) [jessie] - horizon (Vulnerable code not present) [wheezy] - horizon (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2015/05/12/9 CVE-2015-3886 (libinfinity before 0.6.6-1 does not validate expired SSL certificates, ...) - libinfinity 0.6.6-1 (bug #783601) [jessie] - libinfinity 0.6.6-1~deb8u1 [wheezy] - libinfinity (vulnerable code not present) [squeeze] - libinfinity (vulnerable code not present) NOTE: https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706 NOTE: https://github.com/gobby/gobby/issues/61 NOTE: https://www.openwall.com/lists/oss-security/2015/05/12/1 CVE-2015-3815 (The detect_version function in wiretap/logcat.c in the Android Logcat ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-18.html CVE-2015-3814 (The (1) dissect_tfs_request and (2) dissect_tfs_response functions in ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-17.html CVE-2015-3813 (The fragment_add_work function in epan/reassemble.c in the packet-reas ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-16.html CVE-2015-3812 (Multiple memory leaks in the x11_init_protocol function in epan/dissec ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-15.html CVE-2015-3811 (epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x ...) {DSA-3277-1 DLA-241-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark 1.8.2-5wheezy16 NOTE: add fixed version for wheezy directly in CVE list since CVE-2015-3811 the only fixed in DSA-3277-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2015-14.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10978 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a6fc6aa0b4efc1a1c3d7a2e3b5189e888fb6ccc2 CVE-2015-3810 (epan/dissectors/packet-websocket.c in the WebSocket dissector in Wires ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-13.html CVE-2015-3809 (The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11036 NOTE: https://www.wireshark.org/security/wnpa-sec-2015-12.html CVE-2015-3808 (The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11036 NOTE: https://www.wireshark.org/security/wnpa-sec-2015-12.html CVE-2015-3807 (libxml2 in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remot ...) NOT-FOR-US: Apple CVE-2015-3806 (Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to by ...) NOT-FOR-US: Apple CVE-2015-3805 (Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to by ...) NOT-FOR-US: Apple OS X CVE-2015-3804 (FontParser in Apple iOS before 8.4.1 and OS X before 10.10.5 allows re ...) NOT-FOR-US: Apple CVE-2015-3803 (Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to by ...) NOT-FOR-US: Apple OS X CVE-2015-3802 (Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to by ...) NOT-FOR-US: Apple OS X CVE-2015-3801 (The document.cookie API implementation in the CFNetwork Cookies subsys ...) NOT-FOR-US: Apple CVE-2015-3800 (The DiskImages component in Apple iOS before 8.4.1 and OS X before 10. ...) NOT-FOR-US: Apple OS X CVE-2015-3799 (The Apple ID OD plug-in in Apple OS X before 10.10.5 allows attackers ...) NOT-FOR-US: Apple OS X CVE-2015-3798 (The TRE library in Libc in Apple iOS before 8.4.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-3797 (The TRE library in Libc in Apple iOS before 8.4.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-3796 (The TRE library in Libc in Apple iOS before 8.4.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-3795 (libxpc in Apple iOS before 8.4.1 and OS X before 10.10.5 allows attack ...) NOT-FOR-US: Apple CVE-2015-3794 (The Speech UI in Apple OS X before 10.10.5, when speech alerts are ena ...) NOT-FOR-US: Apple OS X CVE-2015-3793 (CFPreferences in Apple iOS before 8.4.1 allows attackers to bypass the ...) NOT-FOR-US: Apple OS X CVE-2015-3792 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3791 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3790 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3789 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3788 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3787 (The Bluetooth subsystem in Apple OS X before 10.10.5 allows remote att ...) NOT-FOR-US: Apple OS X CVE-2015-3786 (The Bluetooth subsystem in Apple OS X before 10.10.5 does not properly ...) NOT-FOR-US: Apple OS X CVE-2015-3785 (The Telephony component in Apple OS X before 10.11, when the Continuit ...) NOT-FOR-US: Apple CVE-2015-3784 (Office Viewer in Apple iOS before 8.4.1 and OS X before 10.10.5 allows ...) NOT-FOR-US: Apple OS X CVE-2015-3783 (SceneKit in Apple OS X before 10.10.5 allows remote attackers to execu ...) NOT-FOR-US: Apple OS X CVE-2015-3782 (CloudKit in Apple iOS before 8.4.1 and OS X before 10.10.5 allows atta ...) NOT-FOR-US: Apple OS X CVE-2015-3781 (Cross-site scripting (XSS) vulnerability in Quick Look in Apple OS X b ...) NOT-FOR-US: Apple OS X CVE-2015-3780 (The Bluetooth subsystem in Apple OS X before 10.10.5 allows attackers ...) NOT-FOR-US: Apple OS X CVE-2015-3779 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3778 (bootp in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote ...) NOT-FOR-US: Apple CVE-2015-3777 (Multiple buffer overflows in blued in the Bluetooth subsystem in Apple ...) NOT-FOR-US: Apple OS X CVE-2015-3776 (IOKit in Apple iOS before 8.4.1 and OS X before 10.10.5 allows attacke ...) NOT-FOR-US: Apple OS X CVE-2015-3775 (Apple OS X before 10.10.5 does not properly implement authentication, ...) NOT-FOR-US: Apple OS X CVE-2015-3774 (The Dictionary app in Apple OS X before 10.10.5 does not use HTTPS, wh ...) NOT-FOR-US: Apple OS X CVE-2015-3773 (The SMB client in Apple OS X before 10.10.5 allows remote attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-3772 (IOFireWireFamily in Apple OS X before 10.10.5 allows local users to ga ...) NOT-FOR-US: Apple OS X CVE-2015-3771 (IOFireWireFamily in Apple OS X before 10.10.5 allows local users to ga ...) NOT-FOR-US: Apple OS X CVE-2015-3770 (IOGraphics in Apple OS X before 10.10.5 allows attackers to execute ar ...) NOT-FOR-US: Apple OS X CVE-2015-3769 (IOFireWireFamily in Apple OS X before 10.10.5 allows local users to ga ...) NOT-FOR-US: Apple OS X CVE-2015-3768 (Integer overflow in the kernel in Apple iOS before 8.4.1 and OS X befo ...) NOT-FOR-US: Apple OS X CVE-2015-3767 (udf in Apple OS X before 10.10.5 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-3766 (The kernel in Apple iOS before 8.4.1 and OS X before 10.10.5 does not ...) NOT-FOR-US: Apple OS X CVE-2015-3765 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: Apple CVE-2015-3764 (Notification Center in Apple OS X before 10.10.5 does not properly rem ...) NOT-FOR-US: QuickTime CVE-2015-3763 (Safari in Apple iOS before 8.4.1 does not limit the rate of JavaScript ...) NOT-FOR-US: Safari CVE-2015-3762 (The Text Formats component in Apple OS X before 10.10.5, as used in Te ...) NOT-FOR-US: Apple OS X CVE-2015-3761 (The kernel in Apple OS X before 10.10.5 does not properly validate pat ...) NOT-FOR-US: Apple OS X CVE-2015-3760 (dyld in Apple OS X before 10.10.5 does not properly validate pathnames ...) NOT-FOR-US: Apple OS X CVE-2015-3759 (Location Framework in Apple iOS before 8.4.1 allows local users to byp ...) NOT-FOR-US: Apple OS X CVE-2015-3758 (UIKit WebView in Apple iOS before 8.4.1 allows attackers to bypass an ...) NOT-FOR-US: Apple OS X CVE-2015-3757 (Apple OS X before 10.10.5 does not properly restrict access to the Dat ...) NOT-FOR-US: Apple OS X CVE-2015-3756 (The Certificate UI in Apple iOS before 8.4.1 does not prevent X.509 ce ...) NOT-FOR-US: Apple OS X CVE-2015-3755 (WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before ...) NOT-FOR-US: Safari CVE-2015-3754 (The private-browsing implementation in WebKit in Apple Safari before 6 ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3753 (WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3752 (The Content Security Policy implementation in WebKit in Apple Safari b ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3751 (WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3750 (WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3749 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3748 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3747 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3746 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3745 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3744 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3743 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3742 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3741 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3740 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3739 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3738 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3737 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3736 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3735 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3734 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3733 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3732 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3731 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3730 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3729 (Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as ...) NOT-FOR-US: Apple CVE-2015-3728 (The WiFi Connectivity feature in Apple iOS before 8.4 allows remote Wi ...) NOT-FOR-US: Apple iOS CVE-2015-3727 (WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before ...) NOT-FOR-US: Apple Safari CVE-2015-3726 (The Telephony subsystem in Apple iOS before 8.4 allows physically prox ...) NOT-FOR-US: Apple iOS CVE-2015-3725 (MobileInstallation in Apple iOS before 8.4 does not ensure the uniquen ...) NOT-FOR-US: Apple iOS CVE-2015-3724 (CoreGraphics in Apple iOS before 8.4 allows remote attackers to execut ...) NOT-FOR-US: Apple iOS CVE-2015-3723 (CoreGraphics in Apple iOS before 8.4 allows remote attackers to execut ...) NOT-FOR-US: Apple iOS CVE-2015-3722 (Application Store in Apple iOS before 8.4 does not ensure the uniquene ...) NOT-FOR-US: Apple iOS CVE-2015-3721 (The kernel in Apple iOS before 8.4 and OS X before 10.10.4 does not pr ...) NOT-FOR-US: Apple iOS CVE-2015-3720 (The kernel in Apple OS X before 10.10.4 does not properly manage memor ...) NOT-FOR-US: Apple OS X CVE-2015-3719 (TrueTypeScaler in FontParser in Apple iOS before 8.4 and OS X before 1 ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3718 (systemstatsd in the System Stats subsystem in Apple OS X before 10.10. ...) NOT-FOR-US: Apple OS X CVE-2015-3717 (Multiple buffer overflows in the printf functionality in SQLite, as us ...) NOT-FOR-US: sqlite as shipped in iOS NOTE: Fix for sqlite in iOS, upstream doesn't know whether it affects the standard NOTE: code base, but Apple would probably have submitted a patch if that were the case NOTE: sqlite-dev thread: https://groups.google.com/forum/#!topic/sqlite-dev/U7OjAbZO6LA CVE-2015-3716 (Spotlight in Apple OS X before 10.10.4 allows attackers to execute arb ...) NOT-FOR-US: Apple OS X CVE-2015-3715 (The code-signing implementation in Apple OS X before 10.10.4 does not ...) NOT-FOR-US: Apple OS X CVE-2015-3714 (Apple OS X before 10.10.4 does not properly consider custom resource r ...) NOT-FOR-US: Apple OS X CVE-2015-3713 (QuickTime in Apple OS X before 10.10.4 allows remote attackers to exec ...) NOT-FOR-US: Apple OS X CVE-2015-3712 (The NVIDIA graphics driver in Apple OS X before 10.10.4 allows attacke ...) NOT-FOR-US: Apple OS X CVE-2015-3711 (The NTFS implementation in Apple OS X before 10.10.4 allows attackers ...) NOT-FOR-US: Apple OS X CVE-2015-3710 (Mail in Apple iOS before 8.4 and OS X before 10.10.4 allows remote att ...) NOT-FOR-US: Apple OS X CVE-2015-3709 (Race condition in kext tools in Apple OS X before 10.10.4 allows local ...) NOT-FOR-US: Apple OS X CVE-2015-3708 (kextd in kext tools in Apple OS X before 10.10.4 allows attackers to w ...) NOT-FOR-US: Apple OS X CVE-2015-3707 (The FireWire driver in IOFireWireFamily in Apple OS X before 10.10.4 a ...) NOT-FOR-US: Apple OS X CVE-2015-3706 (IOAcceleratorFamily in Apple OS X before 10.10.4 allows attackers to e ...) NOT-FOR-US: Apple OS X CVE-2015-3705 (IOAcceleratorFamily in Apple OS X before 10.10.4 allows attackers to e ...) NOT-FOR-US: Apple OS X CVE-2015-3704 (runner in Install.framework in the Install Framework Legacy subsystem ...) NOT-FOR-US: Apple OS X CVE-2015-3703 (ImageIO in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3702 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3701 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3700 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3699 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3698 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3697 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3696 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3695 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3694 (FontParser in Apple iOS before 8.4 and OS X before 10.10.4 allows remo ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3693 (Apple Mac EFI before 2015-001, as used in OS X before 10.10.4 and othe ...) NOT-FOR-US: Apple OS X CVE-2015-3692 (Apple Mac EFI before 2015-001, as used in OS X before 10.10.4 and othe ...) NOT-FOR-US: Apple OS X CVE-2015-3691 (The Monitor Control Command Set kernel extension in the Display Driver ...) NOT-FOR-US: Apple OS X CVE-2015-3690 (The DiskImages subsystem in Apple iOS before 8.4 and OS X before 10.10 ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3689 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3688 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3687 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3686 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3685 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3684 (The HTTPAuthentication implementation in CFNetwork in Apple iOS before ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3683 (The Bluetooth HCI interface implementation in Apple OS X before 10.10. ...) NOT-FOR-US: Apple OS X CVE-2015-3682 (Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-3681 (Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-3680 (Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-3679 (Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-3678 (AppleThunderboltEDMService in Apple OS X before 10.10.4 allows local u ...) NOT-FOR-US: Apple OS X CVE-2015-3677 (The LZVN compression feature in AppleFSCompression in Apple OS X befor ...) NOT-FOR-US: Apple OS X CVE-2015-3676 (AppleGraphicsControl in Apple OS X before 10.10.4 allows attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-3675 (The default configuration of the Apache HTTP Server on Apple OS X befo ...) - apache2 (default configuration on Apple OS X) CVE-2015-3674 (afpserver in Apple OS X before 10.10.4 allows remote attackers to exec ...) NOT-FOR-US: Apple OS X CVE-2015-3673 (Admin Framework in Apple OS X before 10.10.4 does not properly restric ...) NOT-FOR-US: Apple OS X CVE-2015-3672 (Admin Framework in Apple OS X before 10.10.4 does not properly handle ...) NOT-FOR-US: Apple OS X CVE-2015-3671 (Admin Framework in Apple OS X before 10.10.4 does not properly verify ...) NOT-FOR-US: Apple OS X CVE-2015-3670 REJECTED CVE-2015-3669 (QT Media Foundation in Apple QuickTime before 7.7.7 allows remote atta ...) NOT-FOR-US: Apple QuickTime CVE-2015-3668 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3667 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3666 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3665 (QT Media Foundation in Apple QuickTime before 7.7.7 allows remote atta ...) NOT-FOR-US: Apple QuickTime CVE-2015-3664 (QT Media Foundation in Apple QuickTime before 7.7.7 allows remote atta ...) NOT-FOR-US: Apple QuickTime CVE-2015-3663 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3662 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3661 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3660 (Cross-site scripting (XSS) vulnerability in the PDF functionality in W ...) NOT-FOR-US: Apple WebKit CVE-2015-3659 (The SQLite authorizer in the Storage functionality in WebKit in Apple ...) NOT-FOR-US: Apple WebKit CVE-2015-3658 (The Page Loading functionality in WebKit in Apple Safari before 6.2.7, ...) NOT-FOR-US: Apple WebKit CVE-2015-3657 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3656 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3655 (Cross-site request forgery (CSRF) vulnerability in Aruba Networks Clea ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3654 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3653 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3652 RESERVED CVE-2015-3651 RESERVED CVE-2015-3650 (vmware-vmx.exe in VMware Workstation 7.x through 10.x before 10.0.7 an ...) NOT-FOR-US: VMware CVE-2015-3649 (The open-uri-cached rubygem allows local users to execute arbitrary Ru ...) NOT-FOR-US: open-uri-cached rubygem CVE-2015-3648 (Directory traversal vulnerability in pages/setup.php in Montala Limite ...) NOT-FOR-US: ResourceSpace CVE-2015-3647 (Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front ...) NOT-FOR-US: WP Photo Album Plus (aka WPPA) plugin for WordPress CVE-2015-3645 RESERVED CVE-2015-3644 (Stunnel 5.00 through 5.13, when using the redirect option, does not re ...) {DSA-3299-1} - stunnel4 3:5.18-1 (bug #785352) [wheezy] - stunnel4 (Affects 5.00 through 5.13 with specfic configurations) [squeeze] - stunnel4 (Affects 5.00 through 5.13 with specfic configurations) NOTE: https://www.stunnel.org/CVE-2015-3644.html CVE-2015-3885 (Integer overflow in the ljpeg_start function in dcraw 7.00 and earlier ...) {DSA-3692-1 DLA-243-1 DLA-228-1} - dcraw 9.26-1 (bug #785019) [jessie] - dcraw (Minor issue) [wheezy] - dcraw (Minor issue) [squeeze] - dcraw (Minor issue) - ufraw 0.20-3 (bug #786783) [jessie] - ufraw 0.20-2+deb8u1 [wheezy] - ufraw (Minor issue) [squeeze] - ufraw (Minor issue) - libraw 0.16.2-1 (bug #786788) [jessie] - libraw 0.16.0-9+deb8u1 [wheezy] - libraw 0.14.6-2+deb7u1 [squeeze] - libraw (Minor issue) - rawtherapee 4.2-2 [jessie] - rawtherapee 4.2-1+deb8u1 [wheezy] - rawtherapee 4.0.9-4+deb7u1 [squeeze] - rawtherapee (Minor issue) - rawstudio [wheezy] - rawstudio (Minor issue) [squeeze] - rawstudio (Minor issue) - xbmc 2:13.2+dfsg1-5 (bug #786688) [jessie] - xbmc (Minor issue) [wheezy] - xbmc (Minor issue) - kodi 16.0+dfsg1-1 (bug #792299) - exactimage 0.9.1-5 (bug #786785) [jessie] - exactimage 0.8.9-7+deb8u1 [wheezy] - exactimage 0.8.5-5+deb7u4 [squeeze] - exactimage (Minor issue) - freeimage 3.15.4-6 (bug #786790) [wheezy] - freeimage (Minor issue) [squeeze] - freeimage (Minor issue) - darktable 1.6.7-1 (bug #786792) [jessie] - darktable 1.4.2-1+deb8u1 [wheezy] - darktable (Minor issue) NOTE: http://www.ocert.org/advisories/ocert-2015-006.html NOTE: https://codesearch.debian.net/results/int%20CLASS%20ljpeg_start NOTE: Starting with 2:13.2+dfsg1-5 xbmc is a transitional package CVE-2015-3880 (Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3. ...) - phpbb3 3.0.14-1 [jessie] - phpbb3 3.0.12-5+deb8u1 [wheezy] - phpbb3 3.0.10-4+deb7u3 [squeeze] - phpbb3 (Minor issue) NOTE: https://wiki.phpbb.com/Release_Highlights/3.0.14 NOTE: Patch: https://github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04 NOTE: https://www.openwall.com/lists/oss-security/2015/05/12/2 CVE-2015-XXXX [pdf2djvu: insecure use of /tmp when executing c44] - pdf2djvu 0.7.21-1 (bug #784889) [jessie] - pdf2djvu 0.7.17-4+deb8u1 [wheezy] - pdf2djvu 0.7.12-2+deb7u1 [squeeze] - pdf2djvu (Minor issue) NOTE: https://bitbucket.org/jwilk/pdf2djvu/issue/103 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/09/7 CVE-2015-XXXX [didjvu: insecure use of /tmp when executing c44] - didjvu 0.4-1 (bug #784888) [jessie] - didjvu 0.2.8-1+deb8u1 [wheezy] - didjvu 0.2.3-2+deb7u1 NOTE: https://bitbucket.org/jwilk/didjvu/issue/8 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/09/7 CVE-2015-4146 (The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 thro ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) [wheezy] - wpa (Vulnerable code introduced later) NOTE: support for fragmentation added in https://w1.fi/cgit/hostap/commit/?id=5ea93947ca67ba83529798b806a15b247cdb2e93 - wpasupplicant (v1.0-v2.4 with CONFIG_EAP_PWD=y) - hostapd (v1.0-v2.4 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-4/ NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4145 (The EAP-pwd server and peer implementation in hostapd and wpa_supplica ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) [wheezy] - wpa (Vulnerable code introduced later) NOTE: support for fragmentation added in https://w1.fi/cgit/hostap/commit/?id=5ea93947ca67ba83529798b806a15b247cdb2e93 - wpasupplicant (v1.0-v2.4 with CONFIG_EAP_PWD=y) - hostapd (v1.0-v2.4 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-4/ NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch NOTE: http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4144 (The EAP-pwd server and peer implementation in hostapd and wpa_supplica ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) [wheezy] - wpa (Vulnerable code introduced later) NOTE: support for fragmentation added in https://w1.fi/cgit/hostap/commit/?id=5ea93947ca67ba83529798b806a15b247cdb2e93 - wpasupplicant (v1.0-v2.4 with CONFIG_EAP_PWD=y) - hostapd (v1.0-v2.4 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-4/ NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch NOTE: http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4143 (The EAP-pwd server and peer implementation in hostapd and wpa_supplica ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) - wpasupplicant (v1.0-v2.4 with CONFIG_EAP_PWD=y) - hostapd (v1.0-v2.4 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-4/ NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch NOTE: http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4142 (Integer underflow in the WMM Action frame parser in hostapd 0.5.5 thro ...) {DSA-3397-1 DLA-260-1} - wpa 2.3-2.2 (bug #787373) - wpasupplicant [squeeze] - wpasupplicant (0.7.0-v2.4 with with specific configurations) - hostapd NOTE: http://w1.fi/security/2015-3/ NOTE: http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt NOTE: https://www.openwall.com/lists/oss-security/2015/05/09/5 CVE-2015-4141 (The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplican ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787372) - wpasupplicant (unimportant) [squeeze] - wpasupplicant (Affects v0.7.0-v2.4 with CONFIG_WPS_ER=y in the build configuration) - hostapd [squeeze] - hostapd (Affects 0.7.0-v2.4 with CONFIG_WPS_UPNP=y in the build configuration and upnp_iface parameter on runtime) NOTE: http://w1.fi/security/2015-2/ NOTE: http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt NOTE: https://www.openwall.com/lists/oss-security/2015/05/09/4 CVE-2015-XXXX [incorrect parsing of from header when assigning pgp keys] - semi 1.14.7~0.20120428-17 (bug #784712) [jessie] - semi 1.14.7~0.20120428-14+deb8u1 [wheezy] - semi (Minor issue) [squeeze] - semi (Minor issue) NOTE: http://thread.gmane.org/gmane.mail.wanderlust.general.japanese/9819 NOTE: Fixed in https://github.com/wanderlust/semi/commit/9976269556c5bcc021e4edf1b0e1accd39929528 CVE-2015-XXXX [incorrect substring matching when assigning pgp keys] - semi 1.14.7~0.20120428-17 (bug #784712) [jessie] - semi 1.14.7~0.20120428-14+deb8u1 [wheezy] - semi (Minor issue) [squeeze] - semi (Minor issue) NOTE: https://github.com/wanderlust/semi/issues/9 NOTE: https://github.com/wanderlust/semi/commit/5c8466321d281d72850c298b9ebcd466b4b0160c NOTE: https://github.com/wanderlust/semi/commit/da44c8e0ea6baf5dac2b8debf86f720a541f31a5 - mew 1:6.6-3 [jessie] - mew 1:6.6-2+deb8u1 [wheezy] - mew (Minor issue) [squeeze] - mew (Minor issue) - mew-beta 7.0.50~6.6+0.20150508-1 [jessie] - mew-beta 7.0.50~6.6+0.20140902-1+deb8u1 [wheezy] - mew-beta (Minor issue) [squeeze] - mew-beta (Minor issue) CVE-2015-3429 (Cross-site scripting (XSS) vulnerability in example.html in Genericons ...) {DSA-3328-1} - wordpress 4.2.2+dfsg-1 (bug #784603) [wheezy] - wordpress (twentyfifteen theme not present) [squeeze] - wordpress (twentyfifteen theme not present) NOTE: https://wordpress.org/news/2015/05/wordpress-4-2-2/ NOTE: https://www.netsparker.com/cve-2015-3429-dom-xss-vulnerability-in-twenty-fifteen-wordpress-theme/ NOTE: The default theme twentyfifteen is not present in wheezy. Upstream has NOTE: commited https://core.trac.wordpress.org/changeset/32385 though which NOTE: will enericons example.html files if present. As the file was included NOTE: in other popular themes and plugins maybe it should as well be included NOTE: in an update for wordpress for wheezy? CVE-2015-3643 (usb-creator before 0.2.38.3ubuntu0.1 on Ubuntu 12.04 LTS, before 0.2.5 ...) NOT-FOR-US: usb-creator CVE-2015-3642 (The TLS and DTLS processing functionality in Citrix NetScaler Applicat ...) NOT-FOR-US: Citrix CVE-2015-3641 (bitcoind and Bitcoin-Qt prior to 0.10.2 allow attackers to cause a den ...) - bitcoin 0.10.2-1 CVE-2015-3640 (phpMyBackupPro 2.5 and earlier does not properly escape the "." charac ...) NOT-FOR-US: phpMyBackupPro CVE-2015-3639 (phpMyBackupPro 2.5 and earlier does not properly sanitize input string ...) NOT-FOR-US: phpMyBackupPro CVE-2015-3638 (phpMyBackupPro before 2.5 does not validate integer input, which allow ...) NOT-FOR-US: phpMyBackupPro CVE-2015-3637 (SQL injection vulnerability in phpMyBackupPro when run in multi-user m ...) NOT-FOR-US: phpMyBackupPro CVE-2015-3635 RESERVED CVE-2015-3634 (The SlideshowPluginSlideshowStylesheet::loadStylesheetByAJAX function ...) NOT-FOR-US: Slideshow plugin for Wordpress CVE-2015-3633 (Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow rem ...) NOT-FOR-US: Foxit Reader, Enterprise Reader, PhantomPDF CVE-2015-3632 (Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow rem ...) NOT-FOR-US: Foxit Reader, Enterprise Reader, PhantomPDF CVE-2015-3631 (Docker Engine before 1.6.1 allows local users to set arbitrary Linux S ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3630 (Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3629 (Libcontainer 1.6.0, as used in Docker Engine, allows local users to es ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3628 (The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Cont ...) NOT-FOR-US: F5 CVE-2015-3627 (Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3626 (Cross-site scripting (XSS) vulnerability in the DHCP Monitor page in t ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-3625 (The NVIDIA GPU driver for FreeBSD R352 before 352.09, 346 before 346.7 ...) - nvidia-graphics-drivers (FreeBSD drivers in separate blobs/source) CVE-2015-3624 (Cross-site request forgery (CSRF) vulnerability in Test/WorkArea/DmsMe ...) NOT-FOR-US: Ektron Content Management System CVE-2015-3623 (XML external entity (XXE) vulnerability in QlikTech Qlikview before 11 ...) NOT-FOR-US: QlikTech CVE-2015-3621 (Untrusted search path vulnerability in SAP Enterprise Central Componen ...) NOT-FOR-US: SAP ECC CVE-2015-3620 (Cross-site scripting (XSS) vulnerability in the advanced dataset repor ...) NOT-FOR-US: Fortinet FortiAnalyzer CVE-2015-3619 (Cross-site scripting (XSS) vulnerability in assets/js/vm2admin.js in t ...) NOT-FOR-US: Joomla addon CVE-2015-3618 (Cross-site scripting (XSS) vulnerability in Nagios Business Process In ...) NOT-FOR-US: Nagios Business Process Intelligence CVE-2015-3617 (Fortinet FortiManager 5.0 before 5.0.11 and 5.2 before 5.2.2 allow loc ...) NOT-FOR-US: Fortinet CVE-2015-3616 (SQL injection vulnerability in Fortinet FortiManager 5.0.x before 5.0. ...) NOT-FOR-US: Fortinet CVE-2015-3615 (Cross-site scripting (XSS) vulnerability in Fortinet FortiManager 5.0. ...) NOT-FOR-US: Fortinet CVE-2015-3614 (Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows r ...) NOT-FOR-US: Fortinet CVE-2015-3613 (A vulnerability exists in in FortiManager 5.2.1 and earlier and 5.0.10 ...) NOT-FOR-US: Fortinet CVE-2015-3612 (A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2. ...) NOT-FOR-US: Fortinet CVE-2015-3611 (A Command Injection vulnerability exists in FortiManager 5.2.1 and ear ...) NOT-FOR-US: Fortinet CVE-2015-3610 (The Siemens HomeControl for Room Automation application before 2.0.1 f ...) NOT-FOR-US: Siemens HomeControl for Room Automation application for Android CVE-2015-3609 RESERVED CVE-2015-3608 RESERVED CVE-2015-3607 RESERVED CVE-2015-3606 RESERVED CVE-2015-3605 RESERVED CVE-2015-3604 RESERVED CVE-2015-3603 RESERVED CVE-2015-3602 RESERVED CVE-2015-3601 RESERVED CVE-2015-3600 RESERVED CVE-2015-3599 RESERVED CVE-2015-3598 RESERVED CVE-2015-3597 RESERVED CVE-2015-3596 RESERVED CVE-2015-3595 RESERVED CVE-2015-3594 RESERVED CVE-2015-3593 RESERVED CVE-2015-3592 RESERVED CVE-2015-3591 REJECTED CVE-2015-3590 RESERVED CVE-2015-3589 RESERVED CVE-2015-3588 RESERVED CVE-2015-3587 RESERVED CVE-2015-3586 RESERVED CVE-2015-3585 RESERVED CVE-2015-3584 RESERVED CVE-2015-3583 RESERVED CVE-2015-3582 RESERVED CVE-2015-3581 RESERVED CVE-2015-3580 RESERVED CVE-2015-3579 RESERVED CVE-2015-3578 RESERVED CVE-2015-3577 RESERVED CVE-2015-3576 RESERVED CVE-2015-3575 RESERVED CVE-2015-3574 RESERVED CVE-2015-3573 RESERVED CVE-2015-3572 REJECTED CVE-2015-3571 REJECTED CVE-2015-3570 RESERVED CVE-2015-3569 REJECTED CVE-2015-3568 RESERVED CVE-2015-3567 RESERVED CVE-2015-3566 RESERVED CVE-2015-3565 RESERVED CVE-2015-3564 RESERVED CVE-2015-3563 RESERVED CVE-2015-3562 RESERVED CVE-2015-3561 RESERVED CVE-2015-3560 RESERVED CVE-2015-3559 RESERVED CVE-2015-3558 RESERVED CVE-2015-3557 RESERVED CVE-2015-3556 RESERVED CVE-2015-3555 RESERVED CVE-2015-3554 RESERVED CVE-2015-3553 RESERVED CVE-2015-3552 RESERVED CVE-2015-3551 RESERVED CVE-2015-3550 RESERVED CVE-2015-3549 RESERVED CVE-2015-3548 RESERVED CVE-2015-3547 RESERVED CVE-2015-3546 RESERVED CVE-2015-3545 RESERVED CVE-2015-3544 RESERVED CVE-2015-3543 RESERVED CVE-2015-3542 RESERVED CVE-2015-3541 RESERVED CVE-2015-3540 RESERVED CVE-2015-3539 RESERVED CVE-2015-3538 RESERVED CVE-2015-3537 RESERVED CVE-2015-3536 RESERVED CVE-2015-3535 RESERVED CVE-2015-3534 RESERVED CVE-2015-3533 RESERVED CVE-2015-3532 RESERVED CVE-2015-3531 RESERVED CVE-2015-3530 RESERVED CVE-2015-3529 RESERVED CVE-2015-3528 RESERVED CVE-2015-3527 RESERVED CVE-2015-3526 RESERVED CVE-2015-3525 RESERVED CVE-2015-3524 RESERVED CVE-2015-3523 RESERVED CVE-2015-3522 RESERVED CVE-2015-3521 RESERVED CVE-2015-3520 RESERVED CVE-2015-3519 RESERVED CVE-2015-3518 RESERVED CVE-2015-3517 RESERVED CVE-2015-3516 RESERVED CVE-2015-3515 RESERVED CVE-2015-3514 RESERVED CVE-2015-3513 RESERVED CVE-2015-3512 RESERVED CVE-2015-3511 RESERVED CVE-2015-3510 RESERVED CVE-2015-3509 RESERVED CVE-2015-3508 RESERVED CVE-2015-3507 RESERVED CVE-2015-3506 RESERVED CVE-2015-3505 RESERVED CVE-2015-3504 RESERVED CVE-2015-3503 RESERVED CVE-2015-3502 RESERVED CVE-2015-3501 RESERVED CVE-2015-3500 RESERVED CVE-2015-3499 RESERVED CVE-2015-3498 RESERVED CVE-2015-3497 RESERVED CVE-2015-3496 RESERVED CVE-2015-3495 RESERVED CVE-2015-3494 RESERVED CVE-2015-3493 RESERVED CVE-2015-3492 RESERVED CVE-2015-3491 RESERVED CVE-2015-3490 RESERVED CVE-2015-3489 RESERVED CVE-2015-3488 RESERVED CVE-2015-3487 RESERVED CVE-2015-3486 RESERVED CVE-2015-3485 RESERVED CVE-2015-3484 RESERVED CVE-2015-3483 RESERVED CVE-2015-3482 RESERVED CVE-2015-3481 RESERVED CVE-2015-3480 RESERVED CVE-2015-3479 RESERVED CVE-2015-3478 RESERVED CVE-2015-3477 RESERVED CVE-2015-3476 RESERVED CVE-2015-3475 RESERVED CVE-2015-3474 RESERVED CVE-2015-3473 RESERVED CVE-2015-3472 RESERVED CVE-2015-3471 RESERVED CVE-2015-3470 RESERVED CVE-2015-3469 RESERVED CVE-2015-3468 RESERVED CVE-2015-3467 RESERVED CVE-2015-3466 RESERVED CVE-2015-3465 RESERVED CVE-2015-3464 RESERVED NOT-FOR-US: Oracle FLEXCUBE CVE-2015-3463 RESERVED NOT-FOR-US: Oracle FLEXCUBE CVE-2015-3462 RESERVED CVE-2015-3461 RESERVED CVE-2015-3460 RESERVED CVE-2015-3905 (Buffer overflow in the set_cs_start function in t1disasm.c in t1utils ...) {DLA-256-1} - t1utils 1.38-4 (bug #779274) [wheezy] - t1utils (Minor issue) NOTE: https://github.com/kohler/t1utils/issues/4 NOTE: https://www.openwall.com/lists/oss-security/2015/05/13/9 CVE-2015-XXXX [crashes on crafted upack packed file] - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 [squeeze] - clamav 0.98.7+dfsg-0+deb6u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/a18af359decd270f5088e80e2ee2866c62e0843e NOTE: https://github.com/vrtadmin/clamav-devel/commit/ed56f56c1f1529bda877ddd116ae7bc064667c73 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/03/3 CVE-2015-XXXX [crash during algorithmic detection on crafted PE file] - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 [squeeze] - clamav 0.98.7+dfsg-0+deb6u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/a7bdfb4f0d3210eeab49280726ff3ea6d703280e NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/03/4 CVE-2015-XXXX [BUG/MAJOR: http: don't read past buffer's end in http_replace_value] - haproxy 1.5.12-1 [jessie] - haproxy (Minor issue) [squeeze] - haproxy (Vulnerable code not present) NOTE: Upstream fix: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=8e05ac2044c6523c867ceaaae1f10486370eec89 NOTE: Introduced by: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=c9c2daf283011e9b9ab0af57629af47862e14e0e CVE-2015-XXXX [BUG/MAJOR: http: prevent risk of reading past end with balance url_param] - haproxy 1.5.12-1 [jessie] - haproxy (Minor issue) [squeeze] - haproxy (Similar check was already present) NOTE: Upstream fix: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=522aab39753e8ed13786bc57b03ef7ae4ffe6c87 NOTE: For squeeze, the above commit message implies that the fix does not need to be backported to version 1.4 and indeed, the code already contains a (different) check that limits the value of "len". CVE-2015-4017 (Salt before 2014.7.6 does not verify certificates when connecting via ...) - salt (Vulnerable code not present in the version in Debian stable/unstable) NOTE: https://www.openwall.com/lists/oss-security/2015/05/02/1 CVE-2015-3646 (OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014 ...) - keystone 2015.1.0-1 [jessie] - keystone (Minor issue) [wheezy] - keystone (Vulnerable code not present) NOTE: Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3 CVE-2015-3636 (The ping_unhash function in net/ipv4/ping.c in the Linux kernel before ...) {DSA-3290-1} - linux 4.0.2-1 [jessie] - linux 3.16.7-ckt11-1 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a134f083e79fb4c3d0a925691e732c56911b4326 (v4.1-rc2) NOTE: https://lkml.org/lkml/2011/5/13/382 CVE-2015-3459 (The communication module on the Hospira LifeCare PCA Infusion System b ...) NOT-FOR-US: Hospira Lifecare PCA CVE-2015-3458 (The fetchView function in the Mage_Core_Block_Template_Zend class in M ...) NOT-FOR-US: Magento CVE-2015-3457 (Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.1 ...) NOT-FOR-US: Magento CVE-2015-3456 (The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and ear ...) {DSA-3274-1 DSA-3262-1 DSA-3259-1 DLA-268-1 DLA-249-1 DLA-248-1} - qemu 1:2.3+dfsg-3 [wheezy] - qemu 1.1.2+dfsg-6a+deb7u7 - qemu-kvm [wheezy] - qemu-kvm 1.1.2+dfsg-6+deb7u7 - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 - xen-qemu-dm-4.0 NOTE: http://xenbits.xen.org/xsa/advisory-133.html [squeeze] - xen-qemu-dm-4.0 (Not supported in Squeeze LTS) - virtualbox 4.3.28-dfsg-1 (bug #785424) - virtualbox-ose NOTE: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html NOTE: http://venom.crowdstrike.com/ CVE-2015-3454 (TelescopeJS before 0.15 leaks user bcrypt password hashes in websocket ...) NOT-FOR-US: TelescopeJS CVE-2015-3453 RESERVED CVE-2015-3452 RESERVED CVE-2015-3450 (Heap-based buffer overflow in libaxl 0.6.9 allows attackers to cause a ...) NOT-FOR-US: libaxl CVE-2015-3449 (The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Eve ...) NOT-FOR-US: SAP Afaria CVE-2015-3448 (REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and ...) - ruby-rest-client 1.8.0-1 [jessie] - ruby-rest-client (Minor issue, logging not enabled by default) [wheezy] - ruby-rest-client (Minor issue, logging not enabled by default) - librestclient-ruby [squeeze] - librestclient-ruby (Minor issue, logging not enabled by default) CVE-2015-3447 (Multiple cross-site scripting (XSS) vulnerabilities in macIpSpoofView. ...) NOT-FOR-US: Dell SonicWALL SonicOS CVE-2015-3622 (The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 ...) {DSA-3256-1} - libtasn1-6 4.4-3 - libtasn1-3 (Introduced with 3.6) NOTE: https://blog.fuzzing-project.org/9-Heap-overflow-invalid-read-in-Libtasn1-TFPA-0052015.html NOTE: http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=f979435823a02f842c41d49cd41cc81f25b5d677 NOTE: Introduced by http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=609d5c1366fb424f6150c4eed358d246e61cf204 (libtasn1_3_6) NOTE: DECR_LEN introduced in http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=154909136c12cfa5c60732b7210827dfb1ec6aee (libtasn1_3_6) CVE-2015-3455 (Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, a ...) - squid 4.1-1 (unimportant) - squid3 3.5.6-1 (unimportant) NOTE: http://www.squid-cache.org/Advisories/SQUID-2015_1.txt NOTE: Only affects custom builds with --enable-ssl (disabled for license purposes in Debian) CVE-2015-3446 (The Framework Daemon in AlienVault Unified Security Management before ...) NOT-FOR-US: AlienVault Unified Security Management CVE-2015-3445 RESERVED CVE-2015-3444 RESERVED CVE-2015-3443 (Cross-site scripting (XSS) vulnerability in the basic dashboard in Thy ...) NOT-FOR-US: Thycotic Secret Server CVE-2015-3442 (Soreco Xpert.Line 3.0 allows local users to spoof users and consequent ...) NOT-FOR-US: Soreco CVE-2015-3441 (The Parental Control panel in Genexis devices with DRGOS before 1.14.1 ...) NOT-FOR-US: Genexis devices CVE-2015-3437 RESERVED CVE-2015-3436 (provider/server/ECServer.cpp in Zarafa Collaboration Platform (ZCP) be ...) - zarafa (bug #658433) CVE-2015-3435 (Samsung Security Manager (SSM) before 1.31 allows remote attackers to ...) NOT-FOR-US: Samsung Security Manager CVE-2015-3434 RESERVED CVE-2015-3433 RESERVED CVE-2015-3432 (Multiple cross-site scripting (XSS) vulnerabilities in Pydio (formerly ...) - ajaxplorer (bug #668381) CVE-2015-3431 (Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to ex ...) - ajaxplorer (bug #668381) CVE-2015-3430 RESERVED CVE-2015-3428 RESERVED CVE-2015-3426 RESERVED CVE-2015-3425 (Cross-site scripting (XSS) vulnerability in Accentis Content Resource ...) NOT-FOR-US: Accentis Content Resource Management System CVE-2015-3424 (SQL injection vulnerability in Accentis Content Resource Management Sy ...) NOT-FOR-US: Accentis Content Resource Management System CVE-2015-3423 (Multiple SQL injection vulnerabilities in NetCracker Resource Manageme ...) NOT-FOR-US: NetCracker Resource Management System CVE-2015-3422 (Cross-site scripting (XSS) vulnerability in SearchBlox before 8.2.1 al ...) NOT-FOR-US: SearchBlox CVE-2015-3421 (The eshop_checkout function in checkout.php in the Wordpress Eshop plu ...) NOT-FOR-US: Wordpress Eshop CVE-2015-3419 (vBulletin 5.x through 5.1.6 allows remote authenticated users to bypas ...) NOT-FOR-US: vBulletin CVE-2015-3413 RESERVED - hhvm 3.11.0+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/02a7a8f086c9181002fca0f0d9cef42963fdf46a CVE-2015-3412 (PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does no ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=4435b9142ff9813845d5c97ab29a5d637bedb257 NOTE: https://bugs.php.net/bug.php?id=69353 CVE-2015-3411 (PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does no ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69353 CVE-2015-3410 RESERVED CVE-2015-3427 (Quassel before 0.12.2 does not properly re-initialize the database ses ...) {DSA-3258-1} - quassel 1:0.10.0-2.4 (bug #783926) [wheezy] - quassel (incomplete fix for CVE-2013-4422 not applied) [squeeze] - quassel (incomplete fix for CVE-2013-4422 not applied) NOTE: https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283 NOTE: http://quassel-irc.org/node/120 CVE-2015-3420 (The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 ...) - dovecot 1:2.2.13-12 (bug #783649) [jessie] - dovecot 1:2.2.13-12~deb8u1 [wheezy] - dovecot (Problematic patch introducing the issue not applied) [squeeze] - dovecot (Vulnerable code not present & not reproducible) NOTE: https://www.openwall.com/lists/oss-security/2015/04/26/3 NOTE: Patch: http://web.archive.org/web/20150907231530/http://hg.dovecot.org/dovecot-2.2/rev/86f535375750 NOTE: Segfault reproducible if using openssl/1.0.2a-1 from sid. NOTE: http://dovecot.org/pipermail/dovecot/2015-April/100579.html NOTE: It is openssl crashing but because dovecot ignores an erlier NOTE: returned error from dovecot, related to openssl bug: NOTE: https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest NOTE: Possibly introduced due to http://web.archive.org/web/20150121182933/http://hg.dovecot.org:80/dovecot-2.2/rev/09d3c9c6f0ad CVE-2015-3440 (Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in W ...) {DSA-3250-1 DLA-236-1} - wordpress 4.2.1+dfsg-1 (bug #783554) NOTE: http://klikki.fi/adv/wordpress2.html NOTE: https://wordpress.org/news/2015/04/wordpress-4-2-1/ NOTE: https://www.openwall.com/lists/oss-security/2015/04/27/4 NOTE: https://core.trac.wordpress.org/changeset/32299 CVE-2015-XXXX [Some plugins were vulnerable to an SQL injection vulnerability] - wordpress 4.2+dfsg-1 (bug #783347) [jessie] - wordpress 4.1+dfsg-1+deb8u1 [wheezy] - wordpress 3.6.1+dfsg-1~deb7u6 [squeeze] - wordpress 3.6.1+dfsg-1~deb6u6 NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ NOTE: https://www.openwall.com/lists/oss-security/2015/04/26/2 NOTE: To be decided: https://www.openwall.com/lists/oss-security/2015/04/28/7 CVE-2015-XXXX [files with invalid or unsafe names could be uploaded] - wordpress 4.2+dfsg-1 (bug #783347) [jessie] - wordpress 4.1+dfsg-1+deb8u1 [wheezy] - wordpress (File upload vulnerability only in WordPress 4.1 and higher) [squeeze] - wordpress (File upload vulnerability only in WordPress 4.1 and higher) NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ NOTE: https://www.openwall.com/lists/oss-security/2015/04/26/2 NOTE: To be decided: https://www.openwall.com/lists/oss-security/2015/04/28/7 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/06/10/11 CVE-2015-3439 (Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiec ...) {DSA-3250-1 DLA-236-1} - wordpress 4.2+dfsg-1 (bug #783347) NOTE: http://codex.wordpress.org/Version_4.1.2 NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ CVE-2015-3438 (Multiple cross-site scripting (XSS) vulnerabilities in WordPress befor ...) {DSA-3250-1 DLA-236-1} - wordpress 4.2+dfsg-1 (bug #783347) NOTE: http://codex.wordpress.org/Version_4.1.2 NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ CVE-2015-3451 (The _clone function in XML::LibXML before 2.0119 does not properly set ...) {DSA-3243-1 DLA-214-1} - libxml-libxml-perl 2.0116+dfsg-2 (bug #783443) NOTE: https://www.openwall.com/lists/oss-security/2015/04/25/2 NOTE: https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30 NOTE: https://bitbucket.org/shlomif/perl-xml-libxml/commits/915f1dbaf21c5f3c21d7c519c70fd93859e47152 CVE-2015-3418 (The ProcPutImage function in dix/dispatch.c in X.Org Server (aka xserv ...) {DLA-120-2} - xorg-server 2:1.16.4-1 (bug #774308) [wheezy] - xorg-server 2:1.12.4-6+deb7u6 NOTE: http://cgit.freedesktop.org/xorg/xserver/commit/?id=dc777c346d5d452a53b13b917c45f6a1bad2f20b NOTE: https://bugzilla.suse.com/show_bug.cgi?id=928520 (not public yet) CVE-2015-3417 (Use-after-free vulnerability in the ff_h264_free_tables function in li ...) {DSA-3288-1} - ffmpeg 7:2.6.1-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav 6:11.4-1 [wheezy] - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/e8714f6f93d1a32f4e4655209960afcf4c185214 CVE-2015-3404 (The Certify module before 6.x-2.3 for Drupal does not properly perform ...) NOT-FOR-US: Certify module for Drupal CVE-2015-3403 RESERVED CVE-2015-3402 RESERVED CVE-2015-3401 RESERVED CVE-2015-3399 RESERVED CVE-2015-3398 RESERVED CVE-2015-3397 (Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 ...) - yii (bug #597899) CVE-2015-3396 RESERVED CVE-2015-3395 (The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and ...) {DSA-3288-1} - ffmpeg 7:2.6.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav 6:11.4-1 [wheezy] - libav - chromium-browser NOTE: Patch in ffmpeg: https://github.com/FFmpeg/FFmpeg/commit/f7e1367f58263593e6cee3c282f7277d7ee9d553 NOTE: Patch in libav: https://git.libav.org/?p=libav.git;a=commit;h=5ecabd3c54b7c802522dc338838c9a4c2dc42948 CVE-2015-3394 RESERVED CVE-2015-3393 (Open redirect vulnerability in the Commerce WeDeal module before 7.x-1 ...) NOT-FOR-US: Drupal addon CVE-2015-3392 (Cross-site scripting (XSS) vulnerability in the Ajax Timeline module b ...) NOT-FOR-US: Drupal addon CVE-2015-3391 (The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote at ...) NOT-FOR-US: Drupal addon CVE-2015-3390 (Cross-site scripting (XSS) vulnerability in the Facebook Album Fetcher ...) NOT-FOR-US: Drupal addon CVE-2015-3389 (Cross-site scripting (XSS) vulnerability in the Download counts report ...) NOT-FOR-US: Drupal addon CVE-2015-3388 (Cross-site request forgery (CSRF) vulnerability in the Commerce Balanc ...) NOT-FOR-US: Drupal addon CVE-2015-3387 (Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy To ...) NOT-FOR-US: Drupal addon CVE-2015-3386 (Cross-site scripting (XSS) vulnerability in the Node Access Product mo ...) NOT-FOR-US: Drupal addon CVE-2015-3385 (Cross-site scripting (XSS) vulnerability in the Taxonomy Path module b ...) NOT-FOR-US: Drupal addon CVE-2015-3384 (Cross-site scripting (XSS) vulnerability in the Bank Account Listing P ...) NOT-FOR-US: Drupal addon CVE-2015-3383 (Open redirect vulnerability in the Node basket module for Drupal allow ...) NOT-FOR-US: Drupal addon CVE-2015-3382 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Node ...) NOT-FOR-US: Drupal addon CVE-2015-3381 (Cross-site scripting (XSS) vulnerability in the Node basket module for ...) NOT-FOR-US: Drupal addon CVE-2015-3380 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Feat ...) NOT-FOR-US: Drupal addon CVE-2015-3379 (The Views module before 6.x-2.18, 6.x-3.x before 6.x-3.2, and 7.x-3.x ...) NOT-FOR-US: Drupal Views module CVE-2015-3378 (Open redirect vulnerability in the Views module before 6.x-2.18, 6.x-3 ...) NOT-FOR-US: Drupal Views module CVE-2015-3377 RESERVED CVE-2015-3376 (Cross-site scripting (XSS) vulnerability in the Quizzler module before ...) NOT-FOR-US: Quizzler module for Drupal CVE-2015-3375 (Cross-site request forgery (CSRF) vulnerability in the Shibboleth Auth ...) NOT-FOR-US: Shibboleth Authentication module for Drupal CVE-2015-3374 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Corn ...) NOT-FOR-US: Corner module fro Drupal CVE-2015-3373 (The Amazon AWS module before 7.x-1.3 for Drupal uses the base URL and ...) NOT-FOR-US: Amazon AWS module for Drupal CVE-2015-3372 (Cross-site scripting (XSS) vulnerability in the Node Invite module bef ...) NOT-FOR-US: Node Invite module for Drupal CVE-2015-3371 (Open redirect vulnerability in the Node Invite module before 6.x-2.5 f ...) NOT-FOR-US: Node Invite module for Drupal CVE-2015-3370 (Cross-site request forgery (CSRF) vulnerability in the Node Invite mod ...) NOT-FOR-US: Node Invite module for Drupal CVE-2015-3369 (Cross-site scripting (XSS) vulnerability in the Taxonews module before ...) NOT-FOR-US: Taxonews module for Drupal CVE-2015-3368 (Cross-site scripting (XSS) vulnerability in the administration user in ...) NOT-FOR-US: Classified Ads module for Drupal CVE-2015-3367 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Patt ...) NOT-FOR-US: Ptterns module for Drupal CVE-2015-3366 (Cross-site request forgery (CSRF) vulnerability in the Alfresco module ...) NOT-FOR-US: Alfresco module for Drupal CVE-2015-3365 (Cross-site scripting (XSS) vulnerability in the nodeauthor module for ...) NOT-FOR-US: nodeauthor module for Drupal CVE-2015-3364 (Cross-site scripting (XSS) vulnerability in the Content Analysis modul ...) NOT-FOR-US: Content Analysis module for Drupal CVE-2015-3363 (Cross-site request forgery (CSRF) vulnerability in the Contact Form Fi ...) NOT-FOR-US: Contact Forms Fields module for Drupal CVE-2015-3362 (Cross-site scripting (XSS) vulnerability in the Video module before 7. ...) NOT-FOR-US: Video module for Drupal CVE-2015-3361 (Cross-site scripting (XSS) vulnerability in the Linkit module before 7 ...) NOT-FOR-US: Linkit module for Drupal CVE-2015-3360 (Cross-site scripting (XSS) vulnerability in the Term Merge module befo ...) NOT-FOR-US: Term Merge module for Drupal CVE-2015-3359 (Multiple cross-site scripting (XSS) vulnerabilities in the Room Reserv ...) NOT-FOR-US: Room Reservations module for Drupal CVE-2015-3358 (Multiple open redirect vulnerabilities in the Tadaa! module before 7.x ...) NOT-FOR-US: Tadaa! module for Drupal CVE-2015-3357 (Cross-site scripting (XSS) vulnerability in the Wishlist module before ...) NOT-FOR-US: Wishlist module for Drupal CVE-2015-3356 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Tada ...) NOT-FOR-US: Tadaa! module for Drupal CVE-2015-3355 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Batc ...) NOT-FOR-US: Batch Jobs module for Drupal CVE-2015-3354 (Cross-site request forgery (CSRF) vulnerability in the Wishlist module ...) NOT-FOR-US: Drupal module Wishlist CVE-2015-3353 (Cross-site scripting (XSS) vulnerability in the Field Display Label mo ...) NOT-FOR-US: Field Display Label module for Drupal CVE-2015-3352 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Jamm ...) NOT-FOR-US: Drupal module Jammer CVE-2015-3351 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Log ...) NOT-FOR-US: Log Watcher module for Drupal CVE-2015-3350 (Cross-site request forgery (CSRF) vulnerability in the Todo Filter mod ...) NOT-FOR-US: Drupal module Todo Filter CVE-2015-3349 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Htac ...) NOT-FOR-US: Htaccess module for Drupal CVE-2015-3348 (Cross-site scripting (XSS) vulnerability in the Cloudwords for Multili ...) NOT-FOR-US: Cloudwords for Multilingual Drupal module for Drupal CVE-2015-3347 (Cross-site request forgery (CSRF) vulnerability in the Cloudwords for ...) NOT-FOR-US: Cloudwords for Multilingual Drupal module for Drupal CVE-2015-3346 (SQL injection vulnerability in the WikiWiki module before 6.x-1.2 for ...) NOT-FOR-US: WikiWiki module for Drupal CVE-2015-3345 (SQL injection vulnerability in the PHPlist Integration Module before 6 ...) NOT-FOR-US: Drupal module PHPlist CVE-2015-3344 (Cross-site scripting (XSS) vulnerability in the Course module 6.x-1.x ...) NOT-FOR-US: Drupal module Course CVE-2015-3343 (Cross-site request forgery (CSRF) vulnerability in the OPAC module bef ...) NOT-FOR-US: OPAC module for Drupal CVE-2015-3342 (Open redirect vulnerability in the Ubercart Currency Conversion module ...) NOT-FOR-US: Ubercart Currency Conversion module for Drupal CVE-2015-3341 RESERVED CVE-2015-3400 (sharenfs 0.6.4, when built with commits bcdd594 and 7d08880 from the z ...) - zfs-linux (Specific to packages on archive.zfsonlinux.org repositories) NOTE: Issue with ZFS on Linux Debian packages specific as published in the archive.zfsonlinux.org repositories NOTE: https://github.com/zfsonlinux/zfs/issues/3319 CVE-2015-3338 RESERVED CVE-2015-3337 (Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1. ...) {DSA-3241-1} - elasticsearch 1.0.3+dfsg-7 NOTE: https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released CVE-2015-3336 (Google Chrome before 42.0.2311.90 does not always ask the user before ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-3335 (The NaClSandbox::InitializeLayerTwoSandbox function in components/nacl ...) - chromium-browser (native client support not built) CVE-2015-3334 (browser/ui/website_settings/website_settings.cc in Google Chrome befor ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-3333 (Multiple unspecified vulnerabilities in Google V8 before 4.2.77.14, as ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-3340 (Xen 4.2.x through 4.5.x does not initialize certain fields, which allo ...) {DSA-3414-1} - xen 4.6.0-1 (unimportant; bug #784011) [wheezy] - xen 4.1.4-3+deb7u8 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-132.html CVE-2015-4605 (The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo ...) {DLA-307-1} - php5 5.6.9+dfsg-1 (bug #783099) [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 - file (Not reproducible with file, see #783108) NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd NOTE: https://bugs.php.net/bug.php?id=68819 CVE-2015-4604 (The mget function in softmagic.c in file 5.x, as used in the Fileinfo ...) {DLA-307-1} - php5 5.6.9+dfsg-1 (bug #783099) [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 - file (Not reproducible with file, see #783108) NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd NOTE: https://bugs.php.net/bug.php?id=68819 CVE-2015-3339 (Race condition in the prepare_binprm function in fs/exec.c in the Linu ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-3 - linux-2.6 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 NOTE: https://www.openwall.com/lists/oss-security/2015/04/20/1 CVE-2015-7942 (The xmlParseConditionalSections function in parser.c in libxml2 does n ...) {DSA-3430-1 DLA-334-1} - libxml2 2.9.3+dfsg1-1 (bug #802827) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=744980#c8 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756456#c0 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=bd0526e66a56e75a18da8c15c4750db8f801c52d NOTE: https://git.gnome.org/browse/libxml2/commit/?id=41ac9049a27f52e7a1f3b341f8714149fc88d450 CVE-2015-7941 (libxml2 2.9.2 does not properly stop parsing invalid input, which allo ...) {DSA-3430-1 DLA-266-1} - libxml2 2.9.2+really2.9.1+dfsg1-0.1 (bug #783010) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=744980 NOTE: https://www.openwall.com/lists/oss-security/2015/04/19/5 NOTE: https://www.openwall.com/lists/oss-security/2015/10/22/5 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 (v2.9.3) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 (v2.9.3) CVE-2015-8710 (The htmlParseComment function in HTMLparser.c in libxml2 allows attack ...) {DSA-3430-1 DLA-266-1} - libxml2 2.9.2+really2.9.1+dfsg1-0.1 (bug #782985) NOTE: Added workaround item to reflect entry fixed status, remove once CVE assigned NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/04/19/4 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=746048 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c CVE-2015-3328 RESERVED CVE-2015-3327 RESERVED CVE-2015-3326 (Trend Micro ScanMail for Microsoft Exchange (SMEX) 10.2 before Hot Fix ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2015-3325 (SQL injection vulnerability in forum.php in the WP Symposium plugin be ...) NOT-FOR-US: WP Symposium plugin for WordPress CVE-2015-3324 (The ThinkServer System Manager (TSM) Baseboard Management Controller b ...) NOT-FOR-US: ThinkServer CVE-2015-3323 (The ThinkServer System Manager (TSM) Baseboard Management Controller b ...) NOT-FOR-US: ThinkServer CVE-2015-3322 (Lenovo ThinkServer RD350, RD450, RD550, RD650, and TD350 servers befor ...) NOT-FOR-US: ThinkServer CVE-2015-3321 (Services and files in Lenovo Fingerprint Manager before 8.01.42 have i ...) NOT-FOR-US: Lenovo CVE-2015-3320 (Lenovo USB Enhanced Performance Keyboard software before 2.0.2.2 inclu ...) NOT-FOR-US: Lenovo USB Enhanced Performance Keyboard software CVE-2015-3330 (The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP ...) {DSA-3198-1 DLA-212-1} - php5 5.6.7+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69218 NOTE: https://bugs.php.net/bug.php?id=68486 NOTE: Fixed by: https://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7 NOTE: https://www.openwall.com/lists/oss-security/2015/04/17/3 NOTE: For details on scope of the CVE assignment: https://www.openwall.com/lists/oss-security/2015/04/17/7 CVE-2015-3319 (Hotspot Express hotEx Billing Manager 73 does not include the HTTPOnly ...) NOT-FOR-US: Hotspot Express hotEx Billing Manager CVE-2015-3318 (CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, ...) NOT-FOR-US: CA Common Services in ca.com products CVE-2015-3317 (CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, ...) NOT-FOR-US: CA Common Services in ca.com products CVE-2015-3316 (CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, ...) NOT-FOR-US: CA Common Services in ca.com products CVE-2015-3314 (SQL injection vulnerability in WordPress Tune Library plugin before 1. ...) NOT-FOR-US: Wordpress plugin CVE-2015-3313 (SQL injection vulnerability in WordPress Community Events plugin befor ...) NOT-FOR-US: Wordpress plugin CVE-2015-3312 RESERVED CVE-2015-3311 RESERVED CVE-2015-3307 (The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4. ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69443 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae CVE-2015-3329 (Multiple stack-based buffer overflows in the phar_set_inode function i ...) {DSA-3280-1 DLA-212-1} - php5 5.6.9+dfsg-1 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c NOTE: https://bugs.php.net/bug.php?id=69441 NOTE: https://www.openwall.com/lists/oss-security/2015/04/16/22 NOTE: Fixed in 5.6.8 and 5.4.40 CVE-2015-3315 (Automatic Bug Reporting Tool (ABRT) allows local users to read, change ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3309 (Directory traversal vulnerability in node/utils/Minify.js in Etherpad ...) - etherpad-lite (bug #576998) CVE-2015-3308 (Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3. ...) [experimental] - gnutls28 3.3.14-1 - gnutls28 3.3.8-7 (bug #782776) [jessie] - gnutls28 3.3.8-6+deb8u1 - gnutls26 (Introduced in 3.3.0) NOTE: https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9 NOTE: https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02 CVE-2015-3305 RESERVED CVE-2015-3304 RESERVED CVE-2015-3303 RESERVED CVE-2015-3302 (The TheCartPress eCommerce Shopping Cart (aka The Professional WordPre ...) NOT-FOR-US: TheCartPress eCommerce Shopping Cart CVE-2015-3301 (Directory traversal vulnerability in the TheCartPress eCommerce Shoppi ...) NOT-FOR-US: TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress CVE-2015-3300 (Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPres ...) NOT-FOR-US: TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress CVE-2015-3299 (Cross-site scripting (XSS) vulnerability in the Floating Social Bar pl ...) NOT-FOR-US: Wordpress plugin CVE-2015-3298 RESERVED CVE-2015-3296 (Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0 ...) NOT-FOR-US: NodeBB CVE-2015-3295 (markdown-it before 4.1.0 does not block data: URLs. ...) - ruby-rails-assets-markdown-it 4.2.1-1 CVE-2015-3294 (The tcp_request function in Dnsmasq before 2.73rc4 does not properly h ...) {DSA-3251-1 DLA-225-1} - dnsmasq 2.72-3.1 (bug #783459) NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=ad4a8ff7d9097008d7623df8543df435bfddeac8 CVE-2015-3293 (FortiMail 5.0.3 through 5.2.3 allows remote administrators to obtain c ...) NOT-FOR-US: FortiMail CVE-2015-3292 (The installer in NetApp OnCommand Workflow Automation before 2.2.1P1 a ...) NOT-FOR-US: NetApp OnCommand Workflow Automation CVE-2015-3291 (arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_ ...) {DSA-3313-1} - linux 4.0.8-2 [wheezy] - linux (Present since 3.3) - linux-2.6 (Present since 3.3) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a27507ca2d796cfa8d907de31ad730359c8a6d06 (prerequisite) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=810bc075f78ff2c221536eb3008eac6a492dba2d NOTE: Introduced around 3.3-rc1: (https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3f3c8b8c4b2a34776c3470142a7c8baafcda6eb0) CVE-2015-3290 (arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_ ...) {DSA-3313-1} - linux 4.0.8-2 [wheezy] - linux (Introduced in 3.13) - linux-2.6 (Introduced in 3.13) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9d05041679904b12c12421cbcf9cb5f4860a8d7b (prerequisite) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0e181bb58143cb4a2e8f01c281b0816cd0e4798e (prerequisite) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a CVE-2015-3289 (OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated us ...) - glance 2015.1.0-4 (bug #793896) [jessie] - glance (Vulnerable code introduced later) [wheezy] - glance (Vulnerable code introduced later) CVE-2015-3288 (mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous page ...) - linux 4.2-1 [jessie] - linux 3.16.7-ckt17-1 [wheezy] - linux 3.2.71-1 NOTE: https://git.kernel.org/linus/6b7339f4c31ad69c8e9c0b2859276e22cf72176d (v4.2-rc2) CVE-2015-3287 REJECTED CVE-2015-3286 (Buffer overflow in the Solaris kernel extension in OpenAFS before 1.6. ...) - openafs (The Solaris kernel extension in versions through 1.6.12) NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-005.txt CVE-2015-3285 (The pioctl for the OSD FS command in OpenAFS before 1.6.13 uses the wr ...) {DSA-3320-1 DLA-342-1} - openafs 1.6.13-1 NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-004.txt CVE-2015-3284 (pioctls in OpenAFS 1.6.x before 1.6.13 allows local users to read kern ...) {DSA-3320-1} - openafs 1.6.13-1 [squeeze] - openafs (Only 1.6.0 trough 1.6.12) NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-003.txt CVE-2015-3283 (OpenAFS before 1.6.13 allows remote attackers to spoof bos commands vi ...) {DSA-3320-1 DLA-342-1} - openafs 1.6.13-1 NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-002.txt CVE-2015-3282 (vos in OpenAFS before 1.6.13, when updating VLDB entries, allows remot ...) {DSA-3320-1 DLA-342-1} - openafs 1.6.13-1 NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-001.txt CVE-2015-3281 (The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1. ...) {DSA-3301-1} - haproxy 1.5.14-1 [squeeze] - haproxy (Affects 1.5.x and 1.6-dev only) NOTE: http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4 (1.5.x) CVE-2015-3280 (OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 20 ...) - nova 1:12.0.0-2 (low; bug #798883) [jessie] - nova (Minor issue) [wheezy] - nova (Affected code introduced later) NOTE: 2014.2 versions through 2014.2.3, and 2015.1 versions through 2015.1.1 CVE-2015-3279 (Integer overflow in filter/texttopdf.c in texttopdf in cups-filters be ...) {DSA-3303-1 DLA-314-1} - cups-filters 1.0.71-1 - cups 1.5.0-16 NOTE: cups moved filters to separate package in 1.5.0-16 NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7365 CVE-2015-3278 (The cipherstring parsing code in nss_compat_ossl while in multi-keywor ...) NOT-FOR-US: nss_compat_ossl (OpenSSL to NSS Porting Library) CVE-2015-3277 (The mod_nss module before 1.0.11 in Fedora allows remote attackers to ...) - libapache2-mod-nss (bug #795657) [stretch] - libapache2-mod-nss (Minor issue) [jessie] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) [wheezy] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) NOTE: Introduced by https://pagure.io/mod_nss/c/2d1650900f4d47dc43400d826c0f7e1a7c5229b8 (1.10.11) CVE-2015-3276 (The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDA ...) - openldap (unimportant) NOTE: Debian builds with GNUTLS, not NSS CVE-2015-3275 (Multiple cross-site scripting (XSS) vulnerabilities in the SCORM modul ...) - moodle 2.7.9+dfsg-1 (bug #792242) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50614 CVE-2015-3274 (Cross-site scripting (XSS) vulnerability in the user_get_user_details ...) - moodle 2.7.9+dfsg-1 (bug #792242) [squeeze] - moodle (Only similar function looks like the fixed version) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130 CVE-2015-3273 (mod/forum/post.php in Moodle 2.9.x before 2.9.1 does not consider the ...) - moodle (Affects only 2.9) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50220 CVE-2015-3272 (Open redirect vulnerability in the clean_param function in lib/moodlel ...) - moodle 2.7.9+dfsg-1 (bug #792242) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50688 CVE-2015-3271 (Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow re ...) - tika (The server isn't shipped in the Debian package) NOTE: https://marc.info/?l=oss-security&m=143948566828051&w=2 CVE-2015-3270 (Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authent ...) NOT-FOR-US: Apache Ambari CVE-2015-3269 (Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveC ...) NOT-FOR-US: Adobe CVE-2015-3268 (Cross-site scripting (XSS) vulnerability in the DisplayEntityField.get ...) NOT-FOR-US: Apache OFBiz CVE-2015-3267 (Cross-site scripting (XSS) vulnerability in the 404 error page in Red ...) NOT-FOR-US: JBoss Operations Network CVE-2015-3266 RESERVED CVE-2015-3265 RESERVED CVE-2015-3264 RESERVED CVE-2015-3263 RESERVED CVE-2015-3262 RESERVED CVE-2015-3261 RESERVED CVE-2015-3260 RESERVED CVE-2015-3259 (Stack-based buffer overflow in the xl command line utility in Xen 4.1. ...) {DSA-3414-1} - xen 4.6.0-1 (low; bug #795721) [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (xl not shipped in Squeeze) NOTE: http://xenbits.xen.org/xsa/advisory-137.html CVE-2015-3258 (Heap-based buffer overflow in the WriteProlog function in filter/textt ...) {DSA-3303-1 DLA-314-1} - cups-filters 1.0.70-1 - cups 1.5.0-16 NOTE: cups moved filters to separate package in 1.5.0-16 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1235385 CVE-2015-3257 (Zend/Diactoros/Uri::filterPath in zend-diactoros before 1.0.4 does not ...) NOT-FOR-US: zend-diactoros NOTE: https://framework.zend.com/security/advisory/ZF2015-05 CVE-2015-3256 (PolicyKit (aka polkit) before 0.113 allows local users to cause a deni ...) - policykit-1 (The Policykit versions which rely on Javascript/Spidermonkey haven't been uploaded to unstable) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=69501 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=910262#c75 CVE-2015-3255 (The polkit_backend_action_pool_init function in polkitbackend/polkitba ...) [experimental] - policykit-1 0.113-1 - policykit-1 0.105-12 (bug #796134) [jessie] - policykit-1 0.105-15~deb8u1 [wheezy] - policykit-1 (Minor issue) [squeeze] - policykit-1 (Minor issue) NOTE: http://cgit.freedesktop.org/polkit/commit/?id=9f5e0c731784003bd4d6fc75ab739ff8b2ea269f CVE-2015-3254 (The client libraries in Apache Thrift before 0.9.3 might allow remote ...) - thrift-compiler (Vulnerable code not present) NOTE: Affects src:thrift, which is only in experimental. The issue is fixed upstream in 0.9.3 NOTE: so any future upload of thrift to unstable can mark this item as (fixed NOTE: before the initial upload to Debian unstable) CVE-2015-3253 (The MethodClosure class in runtime/MethodClosure.java in Apache Groovy ...) {DLA-274-1} - groovy 2.4.6-1 (bug #793397) [jessie] - groovy 1.8.6-4+deb8u1 [wheezy] - groovy 1.8.6-1+deb7u1 - groovy2 2.2.2+dfsg-5 (bug #793398) [jessie] - groovy2 2.2.2+dfsg-3+deb8u1 CVE-2015-3252 (Apache CloudStack before 4.5.2 does not properly preserve VNC password ...) NOT-FOR-US: Apache CloudStack CVE-2015-3251 (Apache CloudStack before 4.5.2 might allow remote authenticated admini ...) NOT-FOR-US: Apache CloudStack CVE-2015-3250 (Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct ...) - apache-directory-api 1.0.0~M20-3 (bug #791957) NOTE: https://www.openwall.com/lists/oss-security/2015/07/07/5 CVE-2015-3249 (The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before ...) - trafficserver 5.3.1-1 [wheezy] - trafficserver (HTTP2 support does not exist) NOTE: http://mail-archives.us.apache.org/mod_mbox/www-announce/201507.mbox/%3CCABF6JR37mWzDmXDqRQwRUXiojBZrhidndnsY1ZgmcZv-o7-a+g@mail.gmail.com%3E CVE-2015-3248 (openhpi/Makefile.am in OpenHPI before 3.6.0 uses world-writable permis ...) - openhpi (Only affects RPM packaging, in Debian directory is not world-writable, bug #789543) CVE-2015-3247 (Race condition in the worker_update_monitors_config function in SPICE ...) {DSA-3354-1} - spice 0.12.5-1.2 (bug #797976) [wheezy] - spice (monitors_config support introduced in 0.11.3) NOTE: Referenced Bug with Details from Red Hat is currently private NOTE: Patch: https://git.centos.org/blob/rpms!spice.git/11e32f6dd156a3c4847da29d989837437e973ccc/SOURCES!0038-Avoid-race-conditions-reading-monitor-configs-from-g.patch CVE-2015-3246 (libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhe ...) {DLA-468-1} - libuser 1:0.62~dfsg-0.1 (bug #793465) [jessie] - libuser (Minor issue) CVE-2015-3245 (Incomplete blacklist vulnerability in the chfn function in libuser bef ...) {DLA-468-1} - libuser 1:0.62~dfsg-0.1 (bug #793465) [jessie] - libuser (Minor issue) NOTE: initially attributed to usermode package, root-cause fixed in libuser instead CVE-2015-3244 (The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, ...) NOT-FOR-US: PortletBridge component of Red Hat JBoss Portal CVE-2015-3243 (rsyslog uses weak permissions for generating log files, which allows l ...) - rsyslog (unimportant) NOTE: The default for syslog is $FileCreateMode 0644 but the rsyslog.conf NOTE: provided by the Debian package sets $FileCreateMode 0640 CVE-2015-3242 REJECTED CVE-2015-3241 (OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlie ...) - nova 1:12.0.0-2 (bug #796109) [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: https://launchpad.net/bugs/1387543 NOTE: Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3, and version 2015.1.0 NOTE: https://git.openstack.org/cgit/openstack/nova/commit/?id=7ab75d5b0b75fc3426323bef19bf436a258b9707 CVE-2015-3240 (The pluto IKE daemon in libreswan before 3.15 and Openswan before 2.6. ...) - openswan [squeeze] - openswan (Not supported in Squeeze LTS) [wheezy] - openswan (Not supported in Wheezy LTS) - libreswan (Fixed before the initial upload to Debian) NOTE: https://libreswan.org/security/CVE-2015-3240/ CVE-2015-3239 (Off-by-one error in the dwarf_to_unw_regnum function in include/dwarf_ ...) {DLA-271-1} - libunwind 1.1-4 (low; bug #790830) [jessie] - libunwind (Minor issue) [wheezy] - libunwind (Minor issue) - android-platform-external-libunwind 7.0.0+r1-4 (bug #849346) NOTE: http://savannah.nongnu.org/bugs/?45276 (private bug) NOTE: http://git.savannah.gnu.org/cgit/libunwind.git/commit/?id=396b6c7ab737e2bff244d640601c436a26260ca1 CVE-2015-3238 (The _unix_run_helper_binary function in the pam_unix module in Linux-P ...) - pam 1.1.8-3.2 (bug #789986) [jessie] - pam 1.1.8-3.1+deb8u1 [wheezy] - pam (Minor issue e.g. in combination with enabled SELinux) [squeeze] - pam (Minor issue e.g. in combination with enabled SELinux) NOTE: https://git.fedorahosted.org/cgit/linux-pam.git/commit/?id=e89d4c97385ff8180e6e81e84c5aa745daf28a79 NOTE: https://www.redhat.com/archives/pam-list/2015-June/msg00001.html CVE-2015-3237 (The smb_request_state function in cURL and libcurl 7.40.0 through 7.42 ...) - curl 7.43.0-1 [jessie] - curl (Vulnerable code not present) [wheezy] - curl (Vulnerable code not present) [squeeze] - curl (Vulnerable code not present) NOTE: http://curl.haxx.se/docs/adv_20150617B.html CVE-2015-3236 (cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authenticat ...) - curl 7.43.0-1 [jessie] - curl (Vulnerable code not present) [wheezy] - curl (Vulnerable code not present) [squeeze] - curl (Vulnerable code not present) NOTE: http://curl.haxx.se/docs/adv_20150617A.html CVE-2015-3235 (Foreman before 1.9.0 allows remote authenticated users with the edit_u ...) - foreman (bug #663101) CVE-2015-3234 (The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows ...) {DSA-3291-1} - drupal7 7.38-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-002 CVE-2015-3233 (Open redirect vulnerability in the Overlay module in Drupal 7.x before ...) {DSA-3291-1} - drupal7 7.38-1 - drupal6 (Only affects Drupal 7.x) NOTE: https://www.drupal.org/SA-CORE-2015-002 CVE-2015-3232 (Open redirect vulnerability in the Field UI module in Drupal 7.x befor ...) {DSA-3291-1} - drupal7 7.38-1 - drupal6 (Only affects Drupal 7.x) NOTE: https://www.drupal.org/SA-CORE-2015-002 CVE-2015-3231 (The Render cache system in Drupal 7.x before 7.38, when used to cache ...) {DSA-3291-1} - drupal7 7.38-1 - drupal6 (Only affects Drupal 7.x) NOTE: https://www.drupal.org/SA-CORE-2015-002 CVE-2015-3230 (389 Directory Server (formerly Fedora Directory Server) before 1.3.3.1 ...) - 389-ds-base 1.3.3.12-1 (bug #789202) [jessie] - 389-ds-base (Vulnerable code not present, fix for 47838 not applied in Jessie) NOTE: https://fedorahosted.org/389/ticket/48194 NOTE: Regression if https://fedorahosted.org/389/ticket/47838 applied CVE-2015-3229 (fedora-cloud-atomic.ks in spin-kickstarts allows remote attackers to c ...) NOT-FOR-US: Fedora Atomic CVE-2015-3228 (Integer overflow in the gs_heap_alloc_bytes function in base/gsmalloc. ...) {DSA-3326-1 DLA-280-1} - ghostscript 9.15~dfsg-1 (bug #793489) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=696070 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0c0b0859 NOTE: File to reproduce segfault with ps2pdf: http://bugs.ghostscript.com/attachment.cgi?id=11776 CVE-2015-3227 (The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby ...) {DSA-3464-1 DLA-603-1} - rails 2:4.2.4-2 (bug #790487) [squeeze] - rails (Unsupported in squeeze-lts) [wheezy] - rails (Vulnerable code not present, is only a transitional package) - ruby-activesupport-3.2 - ruby-activesupport-2.3 [wheezy] - ruby-activesupport-2.3 (https://lists.debian.org/debian-security-announce/2014/msg00164.html) CVE-2015-3226 (Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active ...) {DSA-3464-1} - rails 2:4.2.4-2 (bug #790486) [squeeze] - rails (Unsupported in squeeze-lts) [wheezy] - rails (Vulnerable code not present, is only a transitional package) - ruby-activesupport-3.2 [wheezy] - ruby-activesupport-3.2 (Vulnerable code not present) - ruby-activesupport-2.3 [wheezy] - ruby-activesupport-2.3 (https://lists.debian.org/debian-security-announce/2014/msg00164.html) CVE-2015-3225 (lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used ...) {DSA-3322-1 DLA-254-1} - ruby-rack 1.5.2-4 (bug #789311) - ruby-rack1.4 - librack-ruby NOTE: http://seclists.org/oss-sec/2015/q2/729 has patches for 1.5 and 1.6 CVE-2015-3224 (request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x ...) NOT-FOR-US: Web Console Ruby Gem CVE-2015-3223 (The ldb_wildcard_compare function in ldb_match.c in ldb before 1.1.24, ...) {DSA-3433-1} - samba 2:4.1.22+dfsg-1 [wheezy] - samba (Only affects 4.0.0 to 4.3.2) [squeeze] - samba (Only affects 4.0.0 to 4.3.2) - ldb 2:1.1.24-1 [jessie] - ldb 2:1.1.17-2+deb8u1 [wheezy] - ldb (Minor issue, only relevant in conjunction with Samba 4, which isn't in wheezy) [squeeze] - ldb (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2015-3223.html NOTE: https://git.samba.org/?p=samba.git;a=commit;h=fb456954f332c07a645226d59b3b00ec252f8b26 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=bb1b783ee9d7259cfc6a1fe882f22189747f8684 (v4-1-stable) NOTE: Samba update needs as well fixed ldb CVE-2015-3222 (syscheck/seechanges.c in OSSEC 2.7 through 2.8.1 on NIX systems allows ...) - ossec-hids (bug #361954) CVE-2015-3221 (OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 ...) - neutron 2015.1.0+2015.06.24.git61.bdf194a0e1-1 (bug #789713) [jessie] - neutron (ipset code introduced in Juno) NOTE: https://bugs.launchpad.net/neutron/+bug/1461054/comments/18 NOTE: 2014.2 versions through 2014.2.3 and 2015.1.0 version CVE-2015-3220 (The tlslite library before 0.4.9 for Python allows remote attackers to ...) - tlslite CVE-2015-3219 (Cross-site scripting (XSS) vulnerability in the Orchestration/Stack se ...) {DSA-3617-1} - horizon 2015.1.0+2015.06.09.git15.e63af6c598-1 (bug #788306) [wheezy] - horizon (Vulnerable code not present) NOTE: 2014.2 versions through 2014.2.3 and version 2015.1.0 CVE-2015-3218 (The authentication_agent_new function in polkitbackend/polkitbackendin ...) [experimental] - policykit-1 0.113-1 - policykit-1 0.105-11 (bug #787932) [jessie] - policykit-1 0.105-15~deb8u1 [wheezy] - policykit-1 (Minor issue) [squeeze] - policykit-1 (Vulnerable code introduced later) NOTE: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html NOTE: Patch: http://cgit.freedesktop.org/polkit/commit/?id=48e646918efb2bf0b3b505747655726d7869f31c NOTE: Introduced by: http://cgit.freedesktop.org/polkit/commit/?id=6eeb077bc90c9c7783360a526b2f04645b1b0848 CVE-2015-3217 (PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty ...) - pcre3 2:8.38-1 (bug #787641) [jessie] - pcre3 (Minor issue) [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1638 NOTE: Upstream fix: http://vcs.pcre.org/pcre?view=revision&revision=1566 NOTE: More information: https://bugzilla.redhat.com/show_bug.cgi?id=1228283#c2 CVE-2015-3216 (Race condition in a certain Red Hat patch to the PRNG lock implementat ...) - openssl (Affects Red Hat specific patch) NOTE: More information in https://bugzilla.redhat.com/show_bug.cgi?id=1225994 CVE-2015-3215 (The NetKVM Windows Virtio driver allows remote attackers to cause a de ...) NOT-FOR-US: virtio Windows drivers CVE-2015-3214 (The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and Q ...) {DSA-3348-1} - qemu 1:2.4+dfsg-1a (bug #795461) [wheezy] - qemu (Introduced in 1.3.0) [squeeze] - qemu (Introduced in 1.3.0) - qemu-kvm (Introduced in 1.3.0) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code introduced in 1.3.0, embedded version is 0.10.2) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d4862a87e31a51de9eb260f25c9e99a75efe3235 NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0505bcdec8228d8de39ab1a02644e71999e7c052 (v1.3.0-rc0) - linux (Fixed before linux-2.6 -> linux rename, v2.6.33-rc8) - linux-2.6 2.6.37-1 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924 (v2.6.33-rc8) CVE-2015-3213 (The gesture handling code in Clutter before 1.16.2 allows physically p ...) - clutter-1.0 1.18.0-1 [wheezy] - clutter-1.0 (Vulnerable code introduced later) [squeeze] - clutter-1.0 (Vulnerable code was introduced past 1.12.0) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=749847 NOTE: Introduced by: https://git.gnome.org/browse/clutter/commit/?id=abcf1d589f29ba7914d5648bb9814ad26c13cd83 (1.13.2) NOTE: Fixed by: https://git.gnome.org/browse/clutter/commit/?id=97724939c8de004d7fa230f3ff64862d957f93a9 (1.17.2) CVE-2015-3212 (Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 a ...) {DSA-3329-1} - linux 4.0.8-1 - linux-2.6 (Vulnerable code introduced later) NOTE: https://marc.info/?l=linux-netdev&m=143277436124732&w=2 NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9f7d653b67aed2d92540fbb0a8adaf32fcf352ae (v3.1-rc1) CVE-2015-3211 (php-fpm allows local users to write to or create arbitrary files via a ...) - php5 (Red Hat specific problem in the rpm package) CVE-2015-3210 (Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 a ...) - pcre3 2:8.35-7.2 (bug #787433) [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: https://bugs.exim.org/show_bug.cgi?id=1636 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1558 NOTE: Affected code refactored in: http://vcs.pcre.org/pcre?view=revision&revision=1359 (8.34) NOTE: Issue then introduced by: http://vcs.pcre.org/pcre?view=revision&revision=1361 CVE-2015-3209 (Heap-based buffer overflow in the PCNET controller in QEMU allows remo ...) {DSA-3286-1 DSA-3285-1 DSA-3284-1} - qemu 1:2.3+dfsg-6 (bug #788460) [wheezy] - qemu 1.1.2+dfsg-6a+deb7u8 [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) - xen-qemu-dm-4.0 [squeeze] - xen-qemu-dm-4.0 (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-135.html CVE-2015-3208 (XML external entity (XXE) vulnerability in the XPath selector componen ...) NOT-FOR-US: HornetQ CVE-2015-3207 RESERVED CVE-2015-3206 (The checkPassword function in python-kerberos does not authenticate th ...) {DLA-265-2 DLA-265-1} - pykerberos 1.1.5-1 (bug #796195) [jessie] - pykerberos 1.1.5-0.1+deb8u1 [wheezy] - pykerberos 1.1+svn4895-1+deb7u1 NOTE: CVE originally assigned for python-kerberos, pykerberos is a fork of the NOTE: former. NOTE: KDC verification support in pykerberos added in https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c NOTE: Using the above code as is might break existing installations since a keytab is required to call krb5_verify_init_creds CVE-2015-3205 (libmimedir allows remote attackers to execute arbitrary code via a VCF ...) - libmimedir (bug #789197) [jessie] - libmimedir (Minor issue) [wheezy] - libmimedir (Minor issue) [squeeze] - libmimedir (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1222251 CVE-2015-3204 (libreswan 3.9 through 3.12 allows remote attackers to cause a denial o ...) - libreswan (Fixed before the initial upload to Debian) NOTE: https://libreswan.org/security/CVE-2015-3204/CVE-2015-3204.txt NOTE: https://libreswan.org/security/CVE-2015-3204/CVE-2015-3204-libreswan.patch CVE-2015-3203 (Unrestricted file upload vulnerability in h5ai before 0.25.0 allows re ...) NOT-FOR-US: h5ai CVE-2015-3202 (fusermount in FUSE before 2.9.3-15 does not properly clear the environ ...) {DSA-3268-2 DSA-3268-1 DSA-3266-1 DLA-238-1 DLA-226-2 DLA-226-1} - fuse 2.9.3-16 (bug #786439) NOTE: Upstream fix: http://web.archive.org/web/20150529051222/http://sourceforge.net:80/p/fuse/fuse/ci/fe2d96 - ntfs-3g 1:2014.2.15AR.3-3 (bug #786475) NOTE: ntfs-3g source wise affected but wheezy version uses --with-fuse=external NOTE: ntfs-3g is built with internal copy since 1:2013.1.13AR.3-2 CVE-2015-3201 (Thermostat before 2.0.0 uses world-readable permissions for the web.xm ...) NOT-FOR-US: thermostat CVE-2015-3200 (mod_auth in lighttpd before 1.4.36 allows remote attackers to inject a ...) - lighttpd 1.4.37-1 (low; bug #787132) [jessie] - lighttpd (Minor issue) [wheezy] - lighttpd (Minor issue) [squeeze] - lighttpd (Minor issue) NOTE: http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html NOTE: http://redmine.lighttpd.net/issues/2646 CVE-2015-3199 REJECTED CVE-2015-3198 (The Undertow module of WildFly 9.x before 9.0.0.CR2 and 10.x before 10 ...) NOT-FOR-US: Undertow module of WildFly / JBOSS CVE-2015-3197 (ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f d ...) {DLA-421-1} - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support NOTE: No MITM: https://bugzilla.redhat.com/show_bug.cgi?id=1301846#c3 CVE-2015-3196 (ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and ...) {DSA-3413-1} - openssl 1.0.2d-1 [squeeze] - openssl (Only affects 1.0.0 to 1.0.2) CVE-2015-3195 (The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in Open ...) {DSA-3413-1 DLA-358-1} - openssl 1.0.2e-1 NOTE: https://www.openssl.org/news/secadv/20151203.txt CVE-2015-3194 (crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before ...) {DSA-3413-1} - openssl 1.0.2e-1 [squeeze] - openssl (Only affects 1.0.1 and 1.0.2) NOTE: https://www.openssl.org/news/secadv/20151203.txt CVE-2015-3193 (The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.p ...) - openssl 1.0.2e-1 [jessie] - openssl (Only affects 1.0.2) [wheezy] - openssl (Only affects 1.0.2) [squeeze] - openssl (Only affects 1.0.2) NOTE: https://www.openssl.org/news/secadv/20151203.txt CVE-2015-3192 (Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not pro ...) {DLA-1853-1} - libspring-java 4.1.9-1 (low; bug #796137) [wheezy] - libspring-java (Minor issue) NOTE: https://pivotal.io/security/cve-2015-3192 NOTE: https://jira.spring.io/browse/SPR-13136 CVE-2015-3191 (With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA St ...) NOT-FOR-US: Cloud Foundry CVE-2015-3190 (With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA St ...) NOT-FOR-US: Cloud Foundry CVE-2015-3189 (With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA St ...) NOT-FOR-US: Cloud Foundry CVE-2015-3188 (The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote ...) NOT-FOR-US: Apache Storm CVE-2015-3187 (The svn_repos_trace_node_locations function in Apache Subversion befor ...) {DSA-3331-1 DLA-293-1} - subversion 1.9.0-1 NOTE: https://subversion.apache.org/security/CVE-2015-3187-advisory.txt CVE-2015-3186 (Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 ...) NOT-FOR-US: Apache Ambari CVE-2015-3185 (The ap_some_auth_required function in server/request.c in the Apache H ...) {DSA-3325-1} - apache2 2.4.16-1 [wheezy] - apache2 (Bug introduced during 2.4 development) [squeeze] - apache2 (Bug introduced during 2.4 development) NOTE: https://www.apache.org/dist/httpd/Announcement2.4.txt NOTE: http://web.archive.org/web/20150918024815/http://www.apache.org:80/dist/httpd/CHANGES_2.4.16 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1684525 NOTE: Behavior changed in 2.4.x refactoring, API no longer usable in 2.4.x CVE-2015-3184 (mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x befor ...) {DSA-3331-1} - subversion 1.9.0-1 [wheezy] - subversion (1.6 does not build with apache 2.4) [squeeze] - subversion (1.6 does not build with apache 2.4) NOTE: https://subversion.apache.org/security/CVE-2015-3184-advisory.txt NOTE: subversion needs to be built with a fixed apache version CVE-2015-3183 (The chunked transfer coding implementation in the Apache HTTP Server b ...) {DSA-3325-1 DLA-284-1} - apache2 2.4.16-1 NOTE: https://www.apache.org/dist/httpd/Announcement2.4.txt NOTE: http://web.archive.org/web/20150918024815/http://www.apache.org:80/dist/httpd/CHANGES_2.4.16 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1684515 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1687338 (2.2.x) NOTE: http://svn.apache.org/viewvc?view=revision&revision=1687339 (2.2.x) CVE-2015-3182 (epan/dissectors/packet-dec-dnart.c in the DECnet NSP/RT dissector in W ...) - wireshark 1.12.0~rc1-1 [jessie] - wireshark (Only affected 1.10.x) [wheezy] - wireshark (Only affected 1.10.x) [squeeze] - wireshark (Only affected 1.10.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-01.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1219409 CVE-2015-3181 (files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2. ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3180 (lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2. ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3179 (login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3178 (Cross-site scripting (XSS) vulnerability in the external_format_text f ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3177 (Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe ...) - moodle (Only affects versions 2.8 to 2.8.5) CVE-2015-3176 (The account-confirmation feature in login/confirm.php in Moodle throug ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3175 (Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3174 (mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2 ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3173 RESERVED CVE-2015-3172 RESERVED CVE-2015-3171 (sosreport 3.2 uses weak permissions for generated sosreport archives, ...) - sosreport 3.2-2 (bug #769521) NOTE: https://github.com/sosreport/sos/commit/d7759d3ddae5fe99a340c88a1d370d65cfa73fd6 NOTE: https://github.com/sosreport/sos/issues/425 CVE-2015-3170 (selinux-policy when sysctl fs.protected_hardlinks are set to 0 allows ...) NOT-FOR-US: Red Hat specific issue with selinux-policy rpm package CVE-2015-3169 (Cross-site scripting (XSS) vulnerability in askbot 0.7.51-4.el6.noarch ...) - askbot (bug #687966) CVE-2015-3168 REJECTED CVE-2015-3167 (contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2 ...) {DSA-3270-1 DSA-3269-1 DLA-227-1} - postgresql-9.4 9.4.2-1 - postgresql-9.1 NOTE: Since 9.1.1-2 src:postgresql-9.1 builds only postgresql-plperl-9.1, source-wise fixed - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream) CVE-2015-3166 (The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before ...) {DSA-3270-1 DSA-3269-1 DLA-227-1} - postgresql-9.4 9.4.2-1 - postgresql-9.1 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream) CVE-2015-3165 (Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9. ...) {DSA-3270-1 DSA-3269-1 DLA-227-1} - postgresql-9.4 9.4.2-1 - postgresql-9.1 NOTE: Since 9.1.1-2 src:postgresql-9.1 builds only postgresql-plperl-9.1, source-wise fixed - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream) CVE-2015-3164 (The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 s ...) - xorg-server 2:1.17.2-1 (bug #788410) [jessie] - xorg-server 2:1.16.4-1+deb8u2 [wheezy] - xorg-server (XWayland not present) [squeeze] - xorg-server (XWayland not present) NOTE: http://lists.freedesktop.org/archives/wayland-devel/2015-June/022548.html NOTE: Patch 1/3: http://cgit.freedesktop.org/xorg/xserver/commit/?id=c4534a38b68aa07fb82318040dc8154fb48a9588 NOTE: Patch 2/3: http://cgit.freedesktop.org/xorg/xserver/commit/?id=4b4b9086d02b80549981d205fb1f495edc373538 NOTE: Patch 3/3: http://cgit.freedesktop.org/xorg/xserver/commit/?id=76636ac12f2d1dbdf7be08222f80e7505d53c451 CVE-2015-3163 (The admin pages for power types and key types in Beaker before 20.1 do ...) NOT-FOR-US: Beaker (toolset for managing test labs, not src:beaker in Debian) CVE-2015-3162 (Cross-site scripting (XSS) vulnerability in the edit comment dialog in ...) NOT-FOR-US: Beaker (toolset for managing test labs, not src:beaker in Debian) CVE-2015-3161 (The search bar code in bkr/server/widgets.py in Beaker before 20.1 doe ...) NOT-FOR-US: Beaker (toolset for managing test labs, not src:beaker in Debian) CVE-2015-3160 (XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beake ...) NOT-FOR-US: Beaker (toolset for managing test labs, not src:beaker in Debian) CVE-2015-3159 (The abrt-action-install-debuginfo-to-abrt-cache help program in Automa ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3158 (The invokeNextValve function in identity/federation/bindings/tomcat/id ...) NOT-FOR-US: PicketLink CVE-2015-3157 REJECTED CVE-2015-3156 (The _write_config function in trove/guestagent/datastore/experimental/ ...) - openstack-trove (unimportant; bug #787654) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1216073#c1 NOTE: partially fixed already in 2015.1~rc2-1, cf. #787654 NOTE: will be completed during kilo release CVE-2015-3155 (Foreman before 1.8.1 does not set the secure flag for the _session_id ...) - foreman (bug #663101) CVE-2015-3154 (CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framewor ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.12+dfsg-1 [jessie] - zendframework 1.12.9+dfsg-2+deb8u1 NOTE: http://framework.zend.com/security/advisory/ZF2015-04 CVE-2015-3153 (The default configuration for cURL and libcurl before 7.42.1 sends cus ...) {DSA-3240-1} - curl 7.42.1-1 [wheezy] - curl (Too intrusive to backport) [squeeze] - curl (Too intrusive to backport) NOTE: http://curl.haxx.se/docs/adv_20150429.html CVE-2015-3152 (Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclien ...) {DSA-3311-1} - mariadb-10.0 10.0.20-1 - percona-xtradb-cluster-5.5 NOTE: CVE was assigned explicitly only for MariaDB and Percona, but not Oracle MySQL NOTE: since Oracle is a CNA itself. NOTE: http://www.ocert.org/advisories/ocert-2015-003.html NOTE: http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/ NOTE: https://mariadb.atlassian.net/browse/MDEV-7937 CVE-2015-3151 (Directory traversal vulnerability in abrt-dbus in Automatic Bug Report ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3150 (abrt-dbus in Automatic Bug Reporting Tool (ABRT) allows local users to ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3149 (The Hotspot component in OpenJDK8 as packaged in Red Hat Enterprise Li ...) - openjdk-8 (defective patch not applied) CVE-2015-3148 (cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenti ...) {DSA-3232-1 DLA-211-1} - curl 7.42.0-1 NOTE: http://curl.haxx.se/docs/adv_20150422B.html CVE-2015-3147 (daemon/abrt-handle-upload.in in Automatic Bug Reporting Tool (ABRT), w ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3146 (The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in ...) - libssh 0.6.3-4.2 (bug #784404) [jessie] - libssh 0.6.3-4+deb8u1 [wheezy] - libssh 0.5.4-1+deb7u3 [squeeze] - libssh (Issue only present in versions > 0.5.1, squeeze has 0.4.5) NOTE: https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/ CVE-2015-3145 (The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7 ...) - curl 7.42.0-1 [jessie] - curl 7.38.0-4+deb8u1 [wheezy] - curl (Affects 7.31.0 to and including 7.41.0) [squeeze] - curl (Affects 7.31.0 to and including 7.41.0) NOTE: http://curl.haxx.se/docs/adv_20150422C.html CVE-2015-3144 (The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 do ...) - curl 7.42.0-1 [jessie] - curl 7.38.0-4+deb8u1 [wheezy] - curl (Affects 7.37.0 to and including 7.41.0) [squeeze] - curl (Affects 7.37.0 to and including 7.41.0) NOTE: http://curl.haxx.se/docs/adv_20150422D.html CVE-2015-3143 (cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM c ...) {DSA-3232-1 DLA-211-1} - curl 7.42.0-1 NOTE: http://curl.haxx.se/docs/adv_20150422A.html CVE-2015-3142 (The kernel-invoked coredump processor in Automatic Bug Reporting Tool ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3141 (Multiple cross-site request forgery (CSRF) vulnerabilities in Synametr ...) NOT-FOR-US: Synametrics Technologies Xeams CVE-2015-3140 (Multiple cross-site request forgery (CSRF) vulnerabilities in Synametr ...) NOT-FOR-US: Synametrics CVE-2015-3139 RESERVED CVE-2015-3138 (print-wb.c in tcpdump before 4.7.4 allows remote attackers to cause a ...) - tcpdump (Introduced in 4.7) NOTE: https://github.com/the-tcpdump-group/tcpdump/issues/446 NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/3ed82f4ed0095768529afc22b923c8f7171fff70 NOTE: Introduced by: https://github.com/the-tcpdump-group/tcpdump/commit/3a3ec26085461998074b827b112d38e8f3246a86 CVE-2015-3137 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3136 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3135 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3134 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3133 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3132 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3131 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3130 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3129 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3128 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3127 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3126 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3125 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3124 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3123 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3122 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3121 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3120 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3119 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3118 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3117 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3116 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3115 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3114 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3113 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and ...) NOT-FOR-US: Adobe Flash Player NOTE: https://helpx.adobe.com/security/products/flash-player/apsb15-14.html CVE-2015-3112 (Adobe Photoshop CC before 16.0 (aka 2015.0.0) and Adobe Bridge CC befo ...) NOT-FOR-US: Adobe CVE-2015-3111 (Heap-based buffer overflow in Adobe Photoshop CC before 16.0 (aka 2015 ...) NOT-FOR-US: Adobe CVE-2015-3110 (Integer overflow in Adobe Photoshop CC before 16.0 (aka 2015.0.0) and ...) NOT-FOR-US: Adobe CVE-2015-3109 (Adobe Photoshop CC before 16.0 (aka 2015.0.0) allows attackers to exec ...) NOT-FOR-US: Adobe CVE-2015-3108 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3107 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3106 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3105 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3104 (Integer overflow in Adobe Flash Player before 13.0.0.292 and 14.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3103 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3102 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3101 (The Flash broker in Adobe Flash Player before 13.0.0.292 and 14.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3100 (Stack-based buffer overflow in Adobe Flash Player before 13.0.0.292 an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3099 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3098 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3097 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3096 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3095 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-3094 REJECTED CVE-2015-3093 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3092 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3091 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3090 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3089 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3088 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.289 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3087 (Integer overflow in Adobe Flash Player before 13.0.0.289 and 14.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3086 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3085 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3084 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3083 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3082 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3081 (Race condition in Adobe Flash Player before 13.0.0.289 and 14.x throug ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3080 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.289 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3079 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3078 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3077 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3076 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3075 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3074 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3073 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3072 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3071 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3070 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3069 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3068 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3067 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3066 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3065 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3064 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3063 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3062 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3061 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3060 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3059 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3058 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3057 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3056 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3055 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3054 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3053 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3052 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3051 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3050 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3049 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3048 (Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.14 and 11 ...) NOT-FOR-US: Adobe CVE-2015-3047 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3046 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3045 REJECTED CVE-2015-3044 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3043 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3042 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3041 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3040 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3039 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3038 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3037 RESERVED CVE-2015-3036 (Stack-based buffer overflow in the run_init_sbus function in the KCode ...) NOT-FOR-US: KCodes NetUSB module for the Linux kernel CVE-2015-3035 (Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firm ...) NOT-FOR-US: TP-LINK Router CVE-2015-3034 RESERVED CVE-2015-3033 RESERVED CVE-2015-3032 RESERVED CVE-2015-3031 RESERVED CVE-2015-3027 (Clang in LLVM, as used in Apple Xcode before 6.3, performs incorrect r ...) NOT-FOR-US: Clang in LLVM as used in Apple Xcode CVE-2015-3025 RESERVED CVE-2015-3024 RESERVED CVE-2015-3023 RESERVED CVE-2015-3022 RESERVED CVE-2015-3021 RESERVED CVE-2015-3020 RESERVED CVE-2015-3019 RESERVED CVE-2015-3018 RESERVED CVE-2015-3017 RESERVED CVE-2015-3016 RESERVED CVE-2015-3015 RESERVED CVE-2015-3014 RESERVED CVE-2015-3009 RESERVED CVE-2015-3416 (The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does n ...) {DSA-3252-2 DSA-3252-1} - sqlite3 3.8.9-1 (bug #783968) [squeeze] - sqlite3 (Can't reproduce the issue) NOTE: http://www.sqlite.org/src/info/c494171f77dc2e5e NOTE: http://seclists.org/bugtraq/2015/Apr/97 NOTE: https://lists.debian.org/debian-lts/2015/06/msg00031.html CVE-2015-3415 (The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not ...) {DSA-3252-1} - sqlite3 3.8.9-1 (bug #783968) [wheezy] - sqlite3 (Vulnerable code not present) [squeeze] - sqlite3 (Vulnerable code not present) NOTE: https://www.sqlite.org/src/info/02e3c88fbf6abdcf NOTE: http://seclists.org/bugtraq/2015/Apr/97 CVE-2015-3414 (SQLite before 3.8.9 does not properly implement the dequoting of colla ...) {DSA-3252-1} - sqlite3 3.8.9-1 (bug #783968) [wheezy] - sqlite3 (Can't reproduce the issue) [squeeze] - sqlite3 (Can't reproduce the issue) NOTE: https://www.sqlite.org/src/info/eddc05e7bb31fae7 NOTE: http://seclists.org/bugtraq/2015/Apr/97 CVE-2015-3306 (The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read a ...) {DSA-3263-1} - proftpd-dfsg 1.3.5-2 (bug #782781) [squeeze] - proftpd-dfsg (mod_copy not available in version 1.3.3) NOTE: https://www.openwall.com/lists/oss-security/2015/04/15/2 NOTE: https://github.com/proftpd/proftpd/pull/109 NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4169 NOTE: https://cxsecurity.com/issue/WLB-2015040075 CVE-2015-3331 (The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_g ...) {DSA-3237-1} - linux 3.16.7-ckt9-3 (bug #782561) - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code introduced in v2.6.38-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/04/14/16 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccfe8c3f7e52ae83155cb038753f4c75b774ca8a (v4.0-rc5) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0bd82f5f6355775fbaf7d3c664432ce1b862be1e (v2.6.38-rc1) CVE-2015-3332 (A certain backport in the TCP Fast Open implementation for the Linux k ...) - linux 3.16.7-ckt9-3 (bug #782515) [jessie] - linux 3.16.7-ckt9-3~deb8u1 [wheezy] - linux (TCP Fast Open introduced in v3.6-rc1) - linux-2.6 (TCP Fast Open introduced in v3.6-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/04/14/14 NOTE: http://thread.gmane.org/gmane.linux.network/359588 CVE-2015-3310 (Buffer overflow in the rc_mksid function in plugins/radius/util.c in P ...) {DSA-3228-1 DLA-205-1} - ppp 2.4.6-3.1 (bug #782450) NOTE: https://www.openwall.com/lists/oss-security/2015/04/13/4 NOTE: Patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=ppp_2.4.6-3.1-nmu.diff;att=1;bug=782450 CVE-2015-5621 (The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlie ...) {DSA-4154-1 DLA-1317-1} - net-snmp 5.7.3+dfsg-1.1 (bug #788964) [squeeze] - net-snmp (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/04/13/1 NOTE: Upstream patch: https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/ NOTE: https://sourceforge.net/p/net-snmp/bugs/2615/ (currently not public) CVE-2015-4085 (Directory traversal vulnerability in node/hooks/express/tests.js in Et ...) - etherpad-lite (bug #576998) NOTE: https://www.openwall.com/lists/oss-security/2015/04/11/10 CVE-2015-3297 (Directory traversal vulnerability in node/utils/Minify.js in Etherpad ...) - etherpad-lite (bug #576998) CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.cl ...) - ceph-deploy (Fixed with initial upload to Debian) NOTE: https://www.openwall.com/lists/oss-security/2015/04/09/9 CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 d ...) {DSA-3223-1 DLA-192-1} - ntp 1:4.2.6.p5+dfsg-7 NOTE: https://bugs.ntp.org/show_bug.cgi?id=2797 NOTE: Patch: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg NOTE: https://www.openwall.com/lists/oss-security/2015/04/09/5 CVE-2015-3008 (Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x be ...) {DSA-3700-1 DLA-455-1} - asterisk 1:13.7.2~dfsg-1 (bug #782411) [squeeze] - asterisk (Not supported in Squeeze LTS) NOTE: http://downloads.asterisk.org/pub/security/AST-2015-003.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24847 NOTE: Patch: https://issues.asterisk.org/jira/secure/attachment/52082/asterisk-null-in-cn.patch CVE-2015-3007 (The Juniper SRX Series services gateways with Junos OS 12.1X46 before ...) NOT-FOR-US: Juniper CVE-2015-3006 (On the QFX3500 and QFX3600 platforms, the number of bytes collected fr ...) NOT-FOR-US: Juniper CVE-2015-3005 (Cross-site scripting (XSS) vulnerability in the Dynamic VPN in Juniper ...) NOT-FOR-US: Juniper CVE-2015-3004 (J-Web in Juniper Junos 11.4 before 11.4R12, 12.1X44 before 12.1X44-D35 ...) NOT-FOR-US: Juniper CVE-2015-3003 (Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, ...) NOT-FOR-US: Juniper CVE-2015-3002 (Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, ...) NOT-FOR-US: Juniper CVE-2015-3001 (SysAid Help Desk before 15.2 uses a hardcoded password of Password1 fo ...) NOT-FOR-US: SysAid Help Desk CVE-2015-3000 (SysAid Help Desk before 15.2 allows remote attackers to cause a denial ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2999 (Multiple SQL injection vulnerabilities in SysAid Help Desk before 15.2 ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2998 (SysAid Help Desk before 15.2 uses a hardcoded encryption key, which ma ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2997 (SysAid Help Desk before 15.2 allows remote attackers to obtain sensiti ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2996 (Multiple directory traversal vulnerabilities in SysAid Help Desk befor ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2995 (The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not prop ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2994 (Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid He ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2993 (SysAid Help Desk before 15.2 does not properly restrict access to cert ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2992 (Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerabi ...) - libstruts1.2-java (Affects 2.0.0 - 2.3.16.3) CVE-2015-2991 (Buffer overflow in NScripter before 3.00 allows remote attackers to ex ...) NOT-FOR-US: NScripter CVE-2015-2990 (Directory traversal vulnerability in zhtml.cgi in NEOJAPAN desknet NEO ...) NOT-FOR-US: desknet NEO CVE-2015-2989 (Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP T ...) NOT-FOR-US: LEMON-S CVE-2015-2988 (Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certi ...) NOT-FOR-US: Rakuten card App for iOS CVE-2015-2987 (Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, w ...) NOT-FOR-US: Type74 ED CVE-2015-2986 (Cross-site scripting (XSS) vulnerability in rakuto.net hitSuji (rktSNS ...) NOT-FOR-US: hitSuji CVE-2015-2985 (Cross-site scripting (XSS) vulnerability in guide-park.com BBS X102 1. ...) NOT-FOR-US: guide-park.com BBS CVE-2015-2984 (I-O DATA DEVICE WN-G54/R2 routers with firmware before 1.03 and NP-BBR ...) NOT-FOR-US: I-O DATA CVE-2015-2983 (Cross-site request forgery (CSRF) vulnerability in admin.php in PHP Ko ...) NOT-FOR-US: Kobo Photo Gallery CMS CVE-2015-2982 (Cross-site scripting (XSS) vulnerability in jquery.lightbox-0.5.min.js ...) NOT-FOR-US: Kobo Photo Gallery CMS CVE-2015-2981 (The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.50 ...) NOT-FOR-US: Yodobashi App for Android CVE-2015-2980 (The Yodobashi application 1.2.1.0 and earlier for Android allows remot ...) NOT-FOR-US: Yodobashi application for Android CVE-2015-2979 (Webservice-DIC yoyaku_v41 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Webservice-DIC yoyaku_v41 CVE-2015-2978 (Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentica ...) NOT-FOR-US: Webservice-DIC yoyaku_v41 CVE-2015-2977 (Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary ...) NOT-FOR-US: Webservice-DIC yoyaku_v41 CVE-2015-2976 (Multiple cross-site scripting (XSS) vulnerabilities in Research Artisa ...) NOT-FOR-US: Research Artisan Lite CVE-2015-2975 (Research Artisan Lite before 1.18 does not ensure that a user has auth ...) NOT-FOR-US: Research Artisan Lite CVE-2015-2974 (LEMON-S PHP Gazou BBS plus before 2.36 allows remote attackers to uplo ...) NOT-FOR-US: LEMON-S PHP Gazou BBS CVE-2015-2973 (Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plu ...) NOT-FOR-US: Welcart plugin for WordPress CVE-2015-2972 (Multiple SQL injection vulnerabilities in Sysphonic Thetis before 2.3. ...) NOT-FOR-US: Syshonic Thetis CVE-2015-2971 (Directory traversal vulnerability in Seeds acmailer before 3.8.18 and ...) NOT-FOR-US: Seeds acmailer CVE-2015-2970 (index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote a ...) NOT-FOR-US: Oekaki BBS CVE-2015-2969 (Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP S ...) NOT-FOR-US: Oekaki BBS CVE-2015-2968 RESERVED CVE-2015-2966 (Directory traversal vulnerability in the Droidware UK Explorer+ File M ...) NOT-FOR-US: Droidware UK Explorer+ File Manager application for Android CVE-2015-2965 (Directory traversal vulnerability in osCommerce Japanese 2.2ms1j-R8 an ...) NOT-FOR-US: osCommerce Japanese CVE-2015-2964 (NAMSHI | JOSE 5.0.0 and earlier allows remote attackers to bypass sign ...) NOT-FOR-US: NAMSHI | JOSE CVE-2015-2963 (The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider t ...) NOT-FOR-US: thoughtbot paperclip gem for ruby CVE-2015-2962 (CGI RESCUE BloBee 1.20 and earlier allows remote attackers to write to ...) NOT-FOR-US: CGI RESCUE BloBee CVE-2015-2961 (Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyz ...) NOT-FOR-US: Zoho NetFlow Analyzer CVE-2015-2960 (Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer buil ...) NOT-FOR-US: Zoho NetFlow Analyzer CVE-2015-2959 (Zoho NetFlow Analyzer build 10250 and earlier does not check for admin ...) NOT-FOR-US: Zoho NetFlow Analyzer CVE-2015-2958 (Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earl ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2957 (Cross-site scripting (XSS) vulnerability in Igreks MilkyStep Light 0.9 ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2956 (SQL injection vulnerability in Igreks MilkyStep Light 0.94 and earlier ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2955 (Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earl ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2954 (Cross-site request forgery (CSRF) vulnerability in Igreks MilkyStep Li ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2953 (Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earl ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2952 (The user-information management functionality in Igreks MilkyStep Ligh ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2951 (JWT.php in F21 JWT before 2.0 allows remote attackers to bypass signat ...) NOT-FOR-US: PHP JWT aibrary CVE-2015-2950 (Directory traversal vulnerability in the Brandon Bowles Open Explorer ...) NOT-FOR-US: Brandon Bowles Open Explorer application for Android CVE-2015-2949 (Cross-site scripting (XSS) vulnerability in ZenPhoto20 1.1.3 and earli ...) NOT-FOR-US: ZenPhoto20 CVE-2015-2948 (Cross-site scripting (XSS) vulnerability in the image processor in Zen ...) NOT-FOR-US: Zenphoto CVE-2015-2947 (KanColleViewer versions 3.8.1 and earlier operates as an open proxy wh ...) NOT-FOR-US: KanColleViewer CVE-2015-2946 (Stack-based buffer overflow in the Open CAD Format Council SXF common ...) NOT-FOR-US: Open CAD Format Council SXF common library CVE-2015-2945 (mt-phpincgi.php in Hajime Fujimoto mt-phpincgi before 2015-05-15 does ...) NOT-FOR-US: Hajime Fujimoto mt-phpincgi CVE-2015-2944 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling AP ...) NOT-FOR-US: Apache Sling CVE-2015-2943 (Honda Moto LINC 1.6.1 does not verify SSL certificates. ...) NOT-FOR-US: Honda Moto LINC CVE-2015-3026 (Icecast before 2.4.2, when a stream_auth handler is defined for URL au ...) {DSA-3239-1} - icecast2 2.4.2-1 (bug #782120) [wheezy] - icecast2 (stream_auth introduced in 2.3.3) [squeeze] - icecast2 (stream_auth introduced in 2.3.3) NOTE: https://trac.xiph.org/ticket/2191 NOTE: https://www.openwall.com/lists/oss-security/2015/04/08/8 CVE-2015-3030 (The web interface in McAfee Advanced Threat Defense (MATD) before 3.4. ...) NOT-FOR-US: McAfee Advanced Threat Defense CVE-2015-3029 (The web interface in McAfee Advanced Threat Defense (MATD) before 3.4. ...) NOT-FOR-US: McAfee Advanced Threat Defense CVE-2015-3028 (McAfee Advanced Threat Defense (MATD) before 3.4.4.63 allows remote au ...) NOT-FOR-US: McAfee Advanced Threat Defense CVE-2015-2930 RESERVED CVE-2015-2926 (Cross-site scripting (XSS) vulnerability in Php/stats/statsRecent.inc. ...) NOT-FOR-US: phpTrafficA CVE-2015-3406 (The PGP signature parsing in Module::Signature before 0.74 allows remo ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f NOTE: https://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: Changes might needed in libtest-signature-perl, need further investigation CVE-2015-3407 (Module::Signature before 0.74 allows remote attackers to bypass signat ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f NOTE: https://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: libtest-signature-perl needed to be updated CVE-2015-3408 (Module::Signature before 0.74 allows remote attackers to execute arbit ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f NOTE: https://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: Changes might needed in libtest-signature-perl, need further investigation CVE-2015-3409 (Untrusted search path vulnerability in Module::Signature before 0.75 a ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef NOTE: https://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: Changes might needed in libtest-signature-perl, need further investigation CVE-2015-2921 RESERVED CVE-2015-2920 RESERVED CVE-2015-2919 RESERVED CVE-2015-2918 (The Studio component in OrientDB Server Community Edition before 2.0.1 ...) NOT-FOR-US: OrientDB CVE-2015-2917 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 an ...) NOT-FOR-US: Securifi Almond CVE-2015-2916 (Cross-site request forgery (CSRF) vulnerability on Securifi Almond dev ...) NOT-FOR-US: Securifi Almond CVE-2015-2915 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 an ...) NOT-FOR-US: Securifi Almond CVE-2015-2914 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 an ...) NOT-FOR-US: Securifi Almond CVE-2015-2913 (server/network/protocol/http/OHttpSessionManager.java in the Studio co ...) NOT-FOR-US: OrientDB CVE-2015-2912 (The JSONP endpoint in the Studio component in OrientDB Server Communit ...) NOT-FOR-US: OrientDB CVE-2015-2911 RESERVED CVE-2015-2910 RESERVED CVE-2015-2909 (Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 dev ...) NOT-FOR-US: Dedicated Micros DVR products CVE-2015-2908 (** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmwar ...) NOT-FOR-US: Mobile Devices (aka MDI) C4 OBD-II dongles CVE-2015-2907 (** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmwar ...) NOT-FOR-US: Mobile Devices (aka MDI) C4 OBD-II dongles CVE-2015-2906 (** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmwar ...) NOT-FOR-US: Mobile Devices (aka MDI) C4 OBD-II dongles CVE-2015-2905 (Cross-site request forgery (CSRF) vulnerability on Actiontec GT784WN m ...) NOT-FOR-US: Actiontec CVE-2015-2904 (Actiontec GT784WN modems with firmware before NCS01-1.0.13 have hardco ...) NOT-FOR-US: Actiontec CVE-2015-2903 (The CWSAPI SOAP service in HP ArcSight SmartConnectors before 7.1.6 ha ...) NOT-FOR-US: HP ArcSight CVE-2015-2902 (HP ArcSight SmartConnectors before 7.1.6 do not verify X.509 certifica ...) NOT-FOR-US: HP ArcSight CVE-2015-2901 (Multiple stack-based buffer overflows in Medicomp MEDCIN Engine 2.22.2 ...) NOT-FOR-US: Medicomp CVE-2015-2900 (The AddUserFinding add_userfinding2 function in Medicomp MEDCIN Engine ...) NOT-FOR-US: Medicomp CVE-2015-2899 (Heap-based buffer overflow in the QualifierList retrieve_qualifier_lis ...) NOT-FOR-US: Medicomp CVE-2015-2898 (Multiple stack-based buffer overflows in Medicomp MEDCIN Engine before ...) NOT-FOR-US: Medicomp CVE-2015-2897 (Sierra Wireless ALEOS before 4.4.2 on AirLink ES, GX, and LS devices h ...) NOT-FOR-US: Sierra Wireless ALEOS CVE-2015-2896 (The up.time client in Idera Uptime Infrastructure Monitor through 7.6 ...) NOT-FOR-US: Idera Uptime Infrastructure Monitor CVE-2015-2895 (Buffer overflow in the up.time client in Idera Uptime Infrastructure M ...) NOT-FOR-US: Idera Uptime Infrastructure Monitor CVE-2015-2894 (Format string vulnerability in the up.time client in Idera Uptime Infr ...) NOT-FOR-US: Idera Uptime Infrastructure Monitor CVE-2015-2893 RESERVED CVE-2015-2892 RESERVED CVE-2015-2891 RESERVED CVE-2015-2890 (The BIOS implementation on Dell Latitude, OptiPlex, Precision Mobile W ...) NOT-FOR-US: BIOS implementations on Dell hardware with model-dependent firmware CVE-2015-2889 (Summer Baby Zoom Wifi Monitor & Internet Viewing System allows rem ...) NOT-FOR-US: Summer Baby Zoom Wifi Monitor and Internet Viewing System CVE-2015-2888 (Summer Baby Zoom Wifi Monitor & Internet Viewing System allows rem ...) NOT-FOR-US: Summer Baby Zoom Wifi Monitor and Internet Viewing System CVE-2015-2887 (iBaby M3S has a password of admin for the backdoor admin account. ...) NOT-FOR-US: iBaby M3S CVE-2015-2886 (iBaby M6 allows remote attackers to obtain sensitive information, rela ...) NOT-FOR-US: iBaby M6 CVE-2015-2885 (Lens Peek-a-View has a password of 2601hx for the backdoor admin accou ...) NOT-FOR-US: Lens Peek-a-View CVE-2015-2884 (Philips In.Sight B120/37 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: Philips In.Sight B120/37 CVE-2015-2883 (Philips In.Sight B120/37 has XSS, related to the Weaved cloud web serv ...) NOT-FOR-US: Philips In.Sight B120/37 CVE-2015-2882 (Philips In.Sight B120/37 has a password of b120root for the backdoor r ...) NOT-FOR-US: Philips In.Sight B120/37 CVE-2015-2881 (Gynoii has a password of guest for the backdoor guest account and a pa ...) NOT-FOR-US: Gynoii CVE-2015-2880 (TRENDnet WiFi Baby Cam TV-IP743SIC has a password of admin for the bac ...) NOT-FOR-US: TRENDnet WiFi Baby Cam TV-IP743SIC CVE-2015-2879 RESERVED CVE-2015-2878 (Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis Ha ...) NOT-FOR-US: Hexis HawkEye CVE-2015-2877 (** DISPUTED ** Kernel Samepage Merging (KSM) in the Linux kernel 2.6.3 ...) - linux (unimportant) - linux-2.6 (unimportant) NOTE: https://www.usenix.org/conference/woot15/workshop-program/presentation/barresi NOTE: http://www.antoniobarresi.com/security/cloud/2015/07/30/cain/ NOTE: Architectual limitation, workaround exists CVE-2015-2876 (Unrestricted file upload vulnerability on Seagate GoFlex Satellite, Se ...) NOT-FOR-US: Seagate GoFlex CVE-2015-2875 (Absolute path traversal vulnerability on Seagate GoFlex Satellite, Sea ...) NOT-FOR-US: Seagate GoFlex CVE-2015-2874 (Seagate GoFlex Satellite, Seagate Wireless Mobile Storage, Seagate Wir ...) NOT-FOR-US: Seagate GoFlex CVE-2015-2873 (Trend Micro Deep Discovery Inspector (DDI) on Deep Discovery Threat ap ...) NOT-FOR-US: Trend Micro CVE-2015-2872 (Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro Dee ...) NOT-FOR-US: Trend Micro CVE-2015-2871 (Chiyu BF-660C fingerprint access-control devices allow remote attacker ...) NOT-FOR-US: Chiyu BF-660C fingerprint access-control devices CVE-2015-2870 (Cross-site scripting (XSS) vulnerability on Chiyu BF-630, BF-630W, and ...) NOT-FOR-US: Chiyu fingerprint access-control devices CVE-2015-2869 (The FileInfo plugin before 2.22 for Ghisler Total Commander allows rem ...) NOT-FOR-US: Ghisler Total Commander CVE-2015-2868 (An exploitable remote code execution vulnerability exists in the Trane ...) NOT-FOR-US: Trane CVE-2015-2867 (A design flaw in the Trane ComfortLink II SCC firmware version 2.0.2 s ...) NOT-FOR-US: Trane CVE-2015-2866 (SQL injection vulnerability on the Grandstream GXV3611_HD camera with ...) NOT-FOR-US: Grandstream camera CVE-2015-2865 REJECTED CVE-2015-2864 (Retrospect and Retrospect Client before 10.0.2.119 on Windows, before ...) NOT-FOR-US: Retrospect Client CVE-2015-2863 (Open redirect vulnerability in Kaseya Virtual System Administrator (VS ...) NOT-FOR-US: Kaseya VSA CVE-2015-2862 (Directory traversal vulnerability in Kaseya Virtual System Administrat ...) NOT-FOR-US: Kaseya VSA CVE-2015-2861 (Cross-site request forgery (CSRF) vulnerability in Vesta Control Panel ...) NOT-FOR-US: Vesta Control Panel CVE-2015-2860 (Directory traversal vulnerability in Avigilon Control Center (ACC) 4 b ...) NOT-FOR-US: Avigilon Control Center CVE-2015-2859 (Intel McAfee ePolicy Orchestrator (ePO) 4.x through 4.6.9 and 5.x thro ...) NOT-FOR-US: Intel McAfee ePolicy Orchestrator CVE-2015-2858 (Datalex airline booking software before 2015-09-03 allows remote attac ...) NOT-FOR-US: Datalex airline booking software CVE-2015-2857 (Accellion File Transfer Appliance before FTA_9_11_210 allows remote at ...) NOT-FOR-US: Accellion File Transfer Appliance CVE-2015-2856 (Directory traversal vulnerability in the template function in function ...) NOT-FOR-US: Accellion File Transfer Appliance CVE-2015-2855 (The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV180 ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-2854 (The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV180 ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-2853 (Session fixation vulnerability in the WebUI component in Blue Coat SSL ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-2852 (Cross-site request forgery (CSRF) vulnerability in the WebUI component ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-2851 (client_chown in the sync client in Synology Cloud Station 1.1-2291 thr ...) NOT-FOR-US: Synology Cloud Station CVE-2015-2850 (Cross-site scripting (XSS) vulnerability in index-login.ant in the ANT ...) NOT-FOR-US: ANTlabs CVE-2015-2849 (SQL injection vulnerability in main.ant in the ANTlabs InnGate firmwar ...) NOT-FOR-US: ANTlabs CVE-2015-2848 (Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo To ...) NOT-FOR-US: Honeywell Tuxedo Touch CVE-2015-2847 (Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authen ...) NOT-FOR-US: Honeywell Tuxedo Touch CVE-2015-2846 (BitTorrent Sync allows remote attackers to execute arbitrary commands ...) - btsync (bug #706639) CVE-2015-2845 (The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3 ...) NOT-FOR-US: GoAutoDial GoAdmin CE CVE-2015-2844 (The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3 ...) NOT-FOR-US: GoAutoDial GoAdmin CE CVE-2015-2843 (Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before ...) NOT-FOR-US: GoAutoDial GoAdmin CE CVE-2015-2842 (Unrestricted file upload vulnerability in go_audiostore.php in the aud ...) NOT-FOR-US: GoAutoDial GoAdmin CE CVE-2015-2841 (Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote ...) NOT-FOR-US: Citrix NetScaler CVE-2015-2840 (Cross-site scripting (XSS) vulnerability in help/rt/large_search.html ...) NOT-FOR-US: Citrix NetScaler CVE-2015-2839 (The Nitro API in Citrix NetScaler before 10.5 build 52.3nc uses an inc ...) NOT-FOR-US: Citrix NetScaler CVE-2015-2838 (Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix ...) NOT-FOR-US: Citrix NetScaler CVE-2015-2929 (The Hidden Service (HS) client implementation in Tor before 0.2.4.27, ...) {DSA-3216-1 DLA-187-1} - tor 0.2.5.12-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15601 NOTE: https://www.openwall.com/lists/oss-security/2015/04/06/5 CVE-2015-2928 (The Hidden Service (HS) server implementation in Tor before 0.2.4.27, ...) {DSA-3216-1 DLA-187-1} - tor 0.2.5.12-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15600 NOTE: https://www.openwall.com/lists/oss-security/2015/04/06/5 CVE-2015-2837 RESERVED CVE-2015-2836 RESERVED CVE-2015-2835 RESERVED CVE-2015-2834 RESERVED CVE-2015-2833 RESERVED CVE-2015-2832 RESERVED CVE-2015-2927 (node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause ...) - node (bug #777013) [jessie] - node (Minor issue) [squeeze] - node (Minor issue) [wheezy] - node (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/04/03/10 CVE-2015-XXXX [caja automounts USB flash drives and CD/DVD drives while session is locked] - caja 1.8.2-4 (bug #781608) [jessie] - caja 1.8.2-3+deb8u1 NOTE: https://github.com/mate-desktop/caja/issues/398 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/04/03/12 CVE-2015-3013 (ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 ...) {DSA-3244-1} [experimental] - owncloud 7.0.5+dfsg-1 - owncloud 7.0.4+dfsg-3 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-004 CVE-2015-3012 (Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0 ...) {DSA-3244-1} [experimental] - owncloud 7.0.5+dfsg-1 - owncloud 7.0.4+dfsg-3 - owncloud-documents (Fixed before initial release to Debian) - webodf (bug #727529) NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-002 CVE-2015-3011 (Multiple cross-site scripting (XSS) vulnerabilities in the contacts ap ...) {DSA-3244-1} [experimental] - owncloud 7.0.5+dfsg-1 - owncloud 7.0.4+dfsg-3 - ownclound-contacts (bug #779055) NOTE: owncloud-contacts fixed in 0.3.0.18+8.0.0+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-001 CVE-2015-8855 (The semver package before 4.3.2 for Node.js allows attackers to cause ...) - node-semver 5.3.0-1 (unimportant) NOTE: https://nodesecurity.io/advisories/semver_redos NOTE: https://github.com/npm/npm/releases/tag/v2.7.5 NOTE: libv8 is not covered by security support CVE-2015-2925 (The prepend_path function in fs/dcache.c in the Linux kernel before 4. ...) {DLA-325-1} - linux 4.2.1-1 [jessie] - linux 3.16.7-ckt11-1+deb8u4 [wheezy] - linux 3.2.68-1+deb7u5 - linux-2.6 NOTE: http://permalink.gmane.org/gmane.linux.kernel.containers/29173 NOTE: http://permalink.gmane.org/gmane.linux.kernel.containers/29177 CVE-2015-2924 (The receive_ra function in rdisc/nm-lndp-rdisc.c in the Neighbor Disco ...) - network-manager 1.0.2-1 (bug #783295) [jessie] - network-manager (Minor issue) [wheezy] - network-manager (Minor issue) [squeeze] - network-manager (Minor issue) CVE-2015-2923 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) {DSA-3175-2} [experimental] - kfreebsd-11 11.0~svn284956-1 - kfreebsd-10 10.1~svn274115-4 (bug #782107) [jessie] - kfreebsd-10 (kfreebsd not a release arch) - kfreebsd-9 [wheezy] - kfreebsd-9 (Minor issue) - kfreebsd-8 [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, will be fixed in a point update) [squeeze] - kfreebsd-8 (kfreebsd-i386/amd64 not supported in Squeeze LTS) NOTE: https://lists.freebsd.org/pipermail/freebsd-net/2015-April/041934.html CVE-2015-2922 (The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbo ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a CVE-2015-2829 (Citrix NetScaler Application Delivery Controller (ADC) and NetScaler G ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2015-2828 (CA Spectrum 9.2.x and 9.3.x before 9.3 H02 does not properly validate ...) NOT-FOR-US: CA Spectrum CVE-2015-2827 (Cross-site scripting (XSS) vulnerability in CA Spectrum 9.2.x and 9.3. ...) NOT-FOR-US: CA Spectrum CVE-2015-2826 (WordPress Simple Ads Manager plugin 2.5.94 and 2.5.96 allows remote at ...) NOT-FOR-US: WordPress plugin simple-ads-manager CVE-2015-2825 (Unrestricted file upload vulnerability in sam-ajax-admin.php in the Si ...) NOT-FOR-US: WordPress plugin simple-ads-manager CVE-2015-2824 (Multiple SQL injection vulnerabilities in the Simple Ads Manager plugi ...) NOT-FOR-US: WordPress plugin simple-ads-manager CVE-2015-2823 (Siemens SIMATIC HMI Basic Panels 2nd Generation before WinCC (TIA Port ...) NOT-FOR-US: Siemens CVE-2015-2822 (Siemens SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Up ...) NOT-FOR-US: Siemens CVE-2015-2821 (TYPO3 Neos 1.1.x before 1.1.3 and 1.2.x before 1.2.3 allows remote edi ...) NOT-FOR-US: TYPO3 Neos CVE-2015-2820 (Buffer overflow in XcListener in SAP Afaria 7.0.6001.5 allows remote a ...) NOT-FOR-US: SAP Afaria CVE-2015-2819 (SAP Sybase SQL Anywhere 11 and 16 allows remote attackers to cause a d ...) NOT-FOR-US: SAP Sybase SQL Anywhere CVE-2015-2818 (XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allow ...) NOT-FOR-US: SAP Mobile Platform CVE-2015-2817 (The SAP Management Console in SAP NetWeaver 7.40 allows remote attacke ...) NOT-FOR-US: SAP NetWeaver CVE-2015-2816 (The XcListener in SAP Afaria 7.0.6001.5 does not properly restrict acc ...) NOT-FOR-US: SAP Afaria CVE-2015-2815 (Buffer overflow in the C_SAPGPARAM function in the NetWeaver Dispatche ...) NOT-FOR-US: NetWeaver Dispatcher in SAP KERNEL CVE-2015-2814 (SAP EMR Unwired (com.sap.mobile.healthcare.emr.v2) and Clinical Task T ...) NOT-FOR-US: SAP EMR Unwired and Clinical Task Tracker CVE-2015-2813 (XML external entity (XXE) vulnerability in SAP Mobile Platform allows ...) NOT-FOR-US: SAP Mobile Platform CVE-2015-2812 (XML external entity (XXE) vulnerability in XMLValidationComponent in S ...) NOT-FOR-US: SAP NetWeaver Portal CVE-2015-2811 (XML external entity (XXE) vulnerability in ReportXmlViewer in SAP NetW ...) NOT-FOR-US: SAP NetWeaver Portal CVE-2015-2830 (arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=956421fbb74c3a6261903f3836c0740187cf038b (v4.0-rc3) NOTE: https://www.openwall.com/lists/oss-security/2015/04/02/1 CVE-2015-XXXX [Signature Bypass in several JSON Web Token Libraries] - pyjwt 1.3.0-1 (bug #781640) [jessie] - pyjwt 0.2.1-1+deb8u1 NOTE: Added workaround item to reflect entry fixed status, remove once CVE assigned NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/04/01/4 NOTE: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ NOTE: ruby-jwt not directly affected, see https://github.com/jwt/ruby-jwt/issues/76 CVE-2015-2810 (Integer overflow in the HwpApp::CHncSDS_Manager function in Hancom Off ...) NOT-FOR-US: Hancom Office Hwp CVE-2015-2809 (The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DS ...) NOT-FOR-US: Synology DiskStation Manager CVE-2015-2808 (The RC4 algorithm, as used in the TLS protocol and SSL protocol, does ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} NOTE: This CVE is specific to the design of the RC4 protocol and not to its NOTE: implementations. [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of JSSE." CVE-2015-2807 (Cross-site scripting (XSS) vulnerability in js/window.php in the Navis ...) NOT-FOR-US: Navis DocumentCloud plugin for WordPress CVE-2015-2831 (Buffer overflow in das_watchdog 0.9.0 allows local users to execute ar ...) {DSA-3221-1 DLA-194-1} - das-watchdog 0.9.0-3.1 (bug #781806) NOTE: Upstream commit: https://github.com/kmatheussen/das_watchdog/commit/bd20bb02e75e2c NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/8 CVE-2015-2805 (Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa ...) NOT-FOR-US: Alcatel-Lucent OmniSwitch CVE-2015-2804 (The management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, ...) NOT-FOR-US: Alcatel-Lucent OmniSwitch CVE-2015-2803 (SQL injection vulnerability in mod1/index.php in the Akronymmanager (s ...) NOT-FOR-US: TYPO3 extension sb_akronymmanager CVE-2015-2802 (An Information Disclosure vulnerability exists in HP SiteScope 11.2 an ...) NOT-FOR-US: HP SiteScope CVE-2015-2801 RESERVED CVE-2015-2800 (The user authentication module in Huawei Campus switches S5700, S5300, ...) NOT-FOR-US: Huawei CVE-2015-2799 RESERVED CVE-2015-2798 (SQL injection vulnerability in Joomla! Component Contact Form Maker 1. ...) NOT-FOR-US: Joomla! extension CVE-2015-2797 (Stack-based buffer overflow in AirTies Air 6372, 5760, 5750, 5650TT, 5 ...) NOT-FOR-US: AirTies Air DSL modems CVE-2015-2796 (Multiple cross-site scripting (XSS) vulnerabilities in Project-Pier Pr ...) NOT-FOR-US: Project-Pier ProjectPier-Core CVE-2015-2795 RESERVED CVE-2015-2794 (The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote ...) NOT-FOR-US: DotNetNuke CVE-2015-2792 (The WPML plugin before 3.1.9 for WordPress does not properly handle mu ...) NOT-FOR-US: WPML plugin for WordPress CVE-2015-2791 (The "menu sync" function in the WPML plugin before 3.1.9 for WordPress ...) NOT-FOR-US: WPML plugin for WordPress CVE-2015-2790 (Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1 allow remot ...) NOT-FOR-US: Foxit Reader, Enterprise Reader, and PhantomPDF CVE-2015-2789 (Unquoted Windows search path vulnerability in the Foxit Cloud Safe Upd ...) NOT-FOR-US: Foxit Reader CVE-2015-XXXX [xdeb: disables apt's signature checks] - xdeb 0.6.7 (bug #781595) [wheezy] - xdeb (Minor issue) CVE-2015-2931 (Incomplete blacklist vulnerability in includes/upload/UploadBase.php i ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2932 (Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x b ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2933 (Cross-site scripting (XSS) vulnerability in the Html class in MediaWik ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2934 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2935 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2936 (MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2937 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2938 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2939 (Cross-site scripting (XSS) vulnerability in the Scribunto extension fo ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2940 (Cross-site request forgery (CSRF) vulnerability in the CheckUser exten ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2941 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, ...) - mediawiki 1:1.19.20+dfsg-2.3 (unimportant) NOTE: HHVM not packaged in Debian NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2942 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 (unimportant) NOTE: HHVM not packaged in Debian NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2786 (Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 h ...) NOT-FOR-US: MyBB CVE-2015-2784 (The papercrop gem before 0.3.0 for Ruby on Rails does not properly han ...) NOT-FOR-US: papercrop Ruby gem CVE-2015-2783 (ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x b ...) {DSA-3280-1 DLA-212-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69324 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae NOTE: Fixed in 5.6.8 and 5.4.40 CVE-2015-2781 (Cross-site scripting (XSS) vulnerability in cgi-bin/hotspotlogin.cgi i ...) NOT-FOR-US: Hotspot Express hotEx Billing Manager CVE-2015-2780 (Unrestricted file upload vulnerability in Berta CMS allows remote atta ...) NOT-FOR-US: Berta CMS CVE-2015-2777 RESERVED CVE-2015-2775 (Directory traversal vulnerability in GNU Mailman before 2.1.20, when n ...) {DSA-3214-1 DLA-186-1} - mailman 1:2.1.18-2 (bug #781626) NOTE: https://bugs.launchpad.net/mailman/+bug/1437145 NOTE: https://mail.python.org/pipermail/mailman-developers/2015-March/024875.html CVE-2015-2773 (SVM in Websense TRITON V-Series appliances before 8.0.0 allows attacke ...) NOT-FOR-US: Websense TRITON V-Series appliances CVE-2015-2772 (SVM in Websense TRITON V-Series appliances before 8.0.0 allows attacke ...) NOT-FOR-US: Websense TRITON V-Series appliances CVE-2015-2771 (The Mail Server in Websense TRITON AP-EMAIL and V-Series appliances be ...) NOT-FOR-US: Websense TRITON AP-EMAIL and V-Series appliances CVE-2015-2770 (Cross-site request forgery (CSRF) vulnerability in the command line pa ...) NOT-FOR-US: Websense TRITON V-Series appliances CVE-2015-2769 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Pers ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2768 (Cross-site scripting (XSS) vulnerability in Websense TRITON AP-EMAIL b ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2767 (Unspecified vulnerability in Websense TRITON AP-EMAIL before 8.0.0 has ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2766 (The Personal Email Manager (PEM) in Websense TRITON AP-EMAIL before 8. ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2765 (The Email Security Gateway in Websense TRITON AP-EMAIL before 8.0.0 al ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2764 (Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON ...) NOT-FOR-US: Websense TRITON AP-DATA CVE-2015-2763 (Unspecified vulnerability in Websense TRITON AP-EMAIL before 8.0.0 has ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2762 (Websense TRITON AP-WEB before 8.0.0 allows remote attackers to enumera ...) NOT-FOR-US: Websense TRITON AP-WEB CVE-2015-2761 (Cross-site scripting (XSS) vulnerability in the Exceptions and Scannin ...) NOT-FOR-US: Websense TRITON AP-WEB CVE-2015-2760 (Cross-site scripting (XSS) vulnerability in the ePO extension in McAfe ...) NOT-FOR-US: McAfee CVE-2015-2759 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ePO ...) NOT-FOR-US: McAfee CVE-2015-2758 (The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) befor ...) NOT-FOR-US: McAfee CVE-2015-2757 (The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) befor ...) NOT-FOR-US: McAfee CVE-2015-XXXX [crashes found with afl] - hp2xx 3.4.4-10 (low) [wheezy] - hp2xx 3.4.4-8+deb7u1 [squeeze] - hp2xx (Minor issue) CVE-2015-2793 (Cross-site scripting (XSS) vulnerability in templates/openid-selector. ...) - ikiwiki 3.20141016.2 (bug #781483) [wheezy] - ikiwiki 3.20120629.2 [squeeze] - ikiwiki (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/03/30/5 CVE-2015-2806 (Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4. ...) {DSA-3220-1 DLA-195-1} [experimental] - libtasn1-6 4.4-1 - libtasn1-6 4.2-3 - libtasn1-3 NOTE: https://gitlab.com/gnutls/libtasn1/commit/4d4f992826a4962790ecd0cce6fbba4a415ce149 NOTE: https://www.openwall.com/lists/oss-security/2015/03/29/4 NOTE: Only in the asn1 definition parser, not in the asn1 parser itself NOTE: https://lists.gnu.org/archive/html/help-libtasn1/2015-01/msg00000.html CVE-2015-2787 (Use-after-free vulnerability in the process_nested_data function in ex ...) {DSA-3198-1 DLA-212-1} - php5 5.6.7+dfsg-1 NOTE: https://bugs.php.net/68976 CVE-2015-2782 (Buffer overflow in Open-source ARJ archiver 3.10.22 allows remote atta ...) {DSA-3213-1 DLA-188-1} - arj 3.10.22-13 (bug #774015) NOTE: https://www.openwall.com/lists/oss-security/2015/03/28/5 CVE-2015-2756 (QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict a ...) {DSA-3259-1 DLA-479-1} - xen 4.2.0~rc2-1 (bug #781620) [squeeze] - xen (Not supported in Squeeze LTS) - qemu 1:2.3+dfsg-3 [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: http://xenbits.xen.org/xsa/advisory-126.html CVE-2015-2755 (Multiple cross-site request forgery (CSRF) vulnerabilities in the AB G ...) NOT-FOR-US: AB Google Map Travel (AB-MAP) plugin for WordPress CVE-2015-2752 (The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, wh ...) {DLA-479-1} - xen 4.4.1-9 (bug #781620) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-125.html CVE-2015-2751 (Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allo ...) - xen 4.4.1-9 (bug #781620) [wheezy] - xen (Affected functionality introduced in 4.2) [squeeze] - xen (Affected functionality introduced in 4.2) NOTE: http://xenbits.xen.org/xsa/advisory-127.html CVE-2015-2748 (Websense TRITON AP-WEB before 8.0.0 does not properly restrict access ...) NOT-FOR-US: Websense TRITON AP-WEB CVE-2015-2747 (Multiple cross-site scripting (XSS) vulnerabilities in the data loss p ...) NOT-FOR-US: Websense Triton CVE-2015-2746 (The network diagnostics tool (CommandLineServlet) in the Appliance Man ...) NOT-FOR-US: Websense TRITON CVE-2015-2774 (Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes w ...) - erlang 1:17.3-dfsg-4 (low; bug #781839) [squeeze] - erlang (Minor issue) [wheezy] - erlang (Minor issue) NOTE: http://www.erlang.org/news/85 NOTE: CVE about "ssl: ... added padding check for TLS-1.0 due to the Poodle vulnerability." NOTE: https://github.com/erlang/otp/commit/e53c55dd0ab69982bc511396ccf8655d27c6d38c CVE-2015-2745 (Multiple cross-site scripting (XSS) vulnerabilities in the Search app ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-2744 (Cross-site scripting (XSS) vulnerability in the Search app in Gaia in ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-2743 (PDF.js in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 ...) {DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/ CVE-2015-2742 (Mozilla Firefox before 39.0 on OS X includes native key press informat ...) - iceweasel (OS X specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-68/ CVE-2015-2741 (Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunder ...) - iceweasel 38.1.0esr-1 [squeeze] - iceweasel [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) - icedove 38.1.0-1 [squeeze] - icedove [jessie] - icedove (Only affects Thunderbird 38 and later) [wheezy] - icedove (Only affects Thunderbird 38 and later) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-67/ CVE-2015-2740 (Buffer overflow in the nsXMLHttpRequest::AppendToResponseText function ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2739 (The ArrayBufferBuilder::append function in Mozilla Firefox before 39.0 ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2738 (The YCbCrImageDataDeserializer::ToDataSourceSurface function in the YC ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2737 (The rx::d3d11::SetBufferData function in the Direct3D 11 implementatio ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2736 (The nsZipArchive::BuildFileList function in Mozilla Firefox before 39. ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2735 (nsZipArchive.cpp in Mozilla Firefox before 39.0, Firefox ESR 31.x befo ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2734 (The CairoTextureClientD3D9::BorrowDrawTarget function in the Direct3D ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2733 (Use-after-free vulnerability in the CanonicalizeXPCOMParticipant funct ...) - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-65/ CVE-2015-2732 RESERVED CVE-2015-2731 (Use-after-free vulnerability in the CSPService::ShouldLoad function in ...) {DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [jessie] - icedove (Does not affect 31.x ESR Thunderbird) [wheezy] - icedove (Does not affect 31.x ESR Thunderbird) [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-63/ CVE-2015-2730 (Mozilla Network Security Services (NSS) before 3.19.1, as used in Mozi ...) {DSA-3336-1 DLA-315-1} - nss 2:3.19.1-1 - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-64/ NOTE: https://hg.mozilla.org/projects/nss/rev/fc6870938172 NOTE: https://hg.mozilla.org/projects/nss/rev/2c05e861ce07 CVE-2015-2729 (The AudioParamTimeline::AudioNodeInputValue function in the Web Audio ...) - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-62/ CVE-2015-2728 (The IndexedDatabaseManager class in the IndexedDB implementation in Mo ...) {DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-61/ CVE-2015-2727 (Mozilla Firefox 38.0 and Firefox ESR 38.0 allow user-assisted remote a ...) - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-60/ CVE-2015-2726 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 38.1.0esr-1 [squeeze] - iceweasel [jessie] - iceweasel (Only affects Firefox 39) [wheezy] - iceweasel (Only affects Firefox 39) - icedove 38.1.0-1 [squeeze] - icedove [jessie] - icedove (Only affects Icedove 39) [wheezy] - icedove (Only affects Icedove 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/ CVE-2015-2725 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 38.1.0esr-1 [squeeze] - iceweasel [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) - icedove 38.1.0-1 [squeeze] - icedove [jessie] - icedove (Only affects Icedove 38 and later) [wheezy] - icedove (Only affects Icedove 38 and later) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/ CVE-2015-2724 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/ CVE-2015-2723 REJECTED CVE-2015-2722 (Use-after-free vulnerability in the CanonicalizeXPCOMParticipant funct ...) - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-65/ CVE-2015-2721 (Mozilla Network Security Services (NSS) before 3.19, as used in Mozill ...) {DSA-3336-1 DSA-3324-1 DSA-3300-1 DLA-315-1} - nss 2:3.19.1-1 NOTE: NSS patch: https://hg.mozilla.org/projects/nss/rev/6b4770c76bc8 NOTE: NSS testcase: https://hg.mozilla.org/projects/nss/rev/1865635f5df5 - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-71/ CVE-2015-2720 (The update implementation in Mozilla Firefox before 38.0 on Windows do ...) - iceweasel (Only affects Windows) CVE-2015-2719 RESERVED CVE-2015-2718 (The WebChannel.jsm module in Mozilla Firefox before 38.0 allows remote ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2717 (Integer overflow in libstagefright in Mozilla Firefox before 38.0 allo ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2716 (Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Fire ...) {DSA-3264-1 DSA-3260-1} - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/ CVE-2015-2715 (Race condition in the nsThreadManager::RegisterCurrentThread function ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2714 (Mozilla Firefox before 38.0 on Android does not properly restrict writ ...) - iceweasel (Only affects Firefox on Android) CVE-2015-2713 (Use-after-free vulnerability in the SetBreaks function in Mozilla Fire ...) {DSA-3264-1 DSA-3260-1} - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/ CVE-2015-2712 (The asm.js implementation in Mozilla Firefox before 38.0 does not prop ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2711 (Mozilla Firefox before 38.0 does not recognize a referrer policy deliv ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2710 (Heap-based buffer overflow in the SVGTextFrame class in Mozilla Firefo ...) {DSA-3264-1 DSA-3260-1} - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/ CVE-2015-2709 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/ CVE-2015-2708 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3264-1 DSA-3260-1} - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/ CVE-2015-2707 RESERVED CVE-2015-2706 (Race condition in the AsyncPaintWaitEvent::AsyncPaintWaitEvent functio ...) [experimental] - iceweasel 37.0.2-1 - iceweasel (Only affects 37.x series) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-45/ CVE-2015-2705 RESERVED CVE-2015-2703 (Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON ...) NOT-FOR-US: Websense CVE-2015-2702 (Cross-site scripting (XSS) vulnerability in the Message Log in the Ema ...) NOT-FOR-US: Websense CVE-2015-2701 (Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allow ...) NOT-FOR-US: CS-Cart CVE-2015-2700 RESERVED CVE-2015-2699 RESERVED CVE-2015-2698 (The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c ...) - krb5 1.13.2+dfsg-4 [jessie] - krb5 (Only affected when applying original patch for CVE-2015-2696 only) [wheezy] - krb5 (Only affected when applying original patch for CVE-2015-2696 only) [squeeze] - krb5 (Vulnerable code not present) NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8273 NOTE: https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd CVE-2015-2697 (The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Ker ...) {DSA-3395-2 DSA-3395-1 DLA-340-1} - krb5 1.13.2+dfsg-3 (bug #803088) NOTE: https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789 NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8252 CVE-2015-2696 (lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 reli ...) {DSA-3395-1} - krb5 1.13.2+dfsg-3 (bug #803084) [squeeze] - krb5 (Vulnerable code not present) NOTE: https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244 CVE-2015-2695 (lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1. ...) {DSA-3395-1 DLA-340-1} - krb5 1.13.2+dfsg-3 (bug #803083) NOTE: https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244 CVE-2015-2694 (The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x ...) - krb5 1.12.1+dfsg-20 (bug #783557) [jessie] - krb5 1.12.1+dfsg-19+deb8u3 [wheezy] - krb5 (Minor issue and can be fixed in a future DSA) [squeeze] - krb5 (Minor issue and can be fixed in a future DSA) NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160 NOTE: Upstream commit: https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604 NOTE: wheezy marked as no-dsa since OTP plugin not present. But the issue NOTE: might affect any out-of-tree plugins with similar bug as the OTP NOTE: has. Thus basicaly only krb5/1.12 is affected. CVE-2015-2693 RESERVED CVE-2015-2692 (AdBlock before 2.21 allows remote attackers to block arbitrary resourc ...) NOT-FOR-US: AdBlock CVE-2015-2691 RESERVED CVE-2015-2690 (Multiple cross-site scripting (XSS) vulnerabilities in views/add-licen ...) NOT-FOR-US: Digium Addons module for FreePBX CVE-2015-2704 (realmd allows remote attackers to inject arbitrary configurations in t ...) - realmd 0.16.0-1 (bug #781179) [jessie] - realmd (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89207 CVE-2015-2776 (The parse_SST function in FreeXL before 1.0.0i allows remote attackers ...) {DSA-3208-1} [experimental] - freexl 1.0.1-1~exp1 - freexl 1.0.0g-1+deb8u1 (bug #781228) NOTE: Reproducer: https://www.dropbox.com/s/gh61gzaf8jj30hj/freexl_6889d18b?dl=0 CVE-2015-2754 (FreeXL before 1.0.0i allows remote attackers to cause a denial of serv ...) {DSA-3208-1} [experimental] - freexl 1.0.1-1~exp1 - freexl 1.0.0g-1+deb8u1 (bug #781228) NOTE: Reproducer: https://www.dropbox.com/s/66srfory903w6cl/freexl_d7273f72?dl=0 CVE-2015-2753 (FreeXL before 1.0.0i allows remote attackers to cause a denial of serv ...) {DSA-3208-1} [experimental] - freexl 1.0.1-1~exp1 - freexl 1.0.0g-1+deb8u1 (bug #781228) NOTE: Reproducer: https://www.dropbox.com/s/3htzndywvtmomlx/freexl_9f74b0e8?dl=0 CVE-2015-2685 RESERVED CVE-2015-2683 (Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 ...) NOT-FOR-US: Citrix Command Center CVE-2015-2682 (Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 ...) NOT-FOR-US: Citrix Command Center CVE-2015-2681 (Multiple cross-site scripting (XSS) vulnerabilities in the ASUS RT-G32 ...) NOT-FOR-US: Asus CVE-2015-2680 (Cross-site request forgery (CSRF) vulnerability in MetalGenix GeniXCMS ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-2679 (Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0 ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-2678 (Multiple cross-site scripting (XSS) vulnerabilities in MetalGenix Geni ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-2677 (Multiple cross-site scripting (XSS) vulnerabilities in ocPortal before ...) - ocportal (bug #625865) CVE-2015-2676 (Cross-site request forgery (CSRF) vulnerability in the ASUS RT-G32 rou ...) NOT-FOR-US: Asus CVE-2015-2689 (Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly hand ...) {DSA-3203-1 DLA-178-1} - tor 0.2.5.11-1 NOTE: https://bugs.torproject.org/14129 CVE-2015-2688 (buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not ...) {DSA-3203-1 DLA-178-1} - tor 0.2.5.11-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15083 CVE-2015-2687 (OpenStack Compute (nova) Icehouse, Juno and Havana when live migration ...) - nova 2014.1-1 [wheezy] - nova (Minor issue) NOTE: This is no longer a security issue starting with icehouse, so marking 2014.1 as fixed NOTE: https://bugs.launchpad.net/nova/+bug/1419577 CVE-2015-2673 (The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in ...) NOT-FOR-US: WP EasyCart plugin for Wordpress CVE-2015-2671 RESERVED CVE-2015-2670 REJECTED CVE-2015-2669 RESERVED CVE-2015-2668 (ClamAV before 0.98.7 allows remote attackers to cause a denial of serv ...) {DLA-233-1} - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 CVE-2015-2667 (Untrusted search path vulnerability in GNS3 1.2.3 allows local users t ...) - gns3 (Windows specific) CVE-2015-2665 (Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows ...) {DSA-3295-1 DLA-255-1} - cacti 0.8.8d+ds1-1 NOTE: http://www.fortiguard.com/advisory/FG-VD-15-017/ NOTE: http://bugs.cacti.net/view.php?id=2542 (bug is not yet accessible) NOTE: http://svn.cacti.net/viewvc/cacti/tags/0.8.8d/graphs.php?r1=7716&r2=7717&view=patch CVE-2015-2664 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-2663 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-2662 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Solaris DHCP (dhcpagent) CVE-2015-2661 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2660 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-2659 (Unspecified vulnerability in Oracle Java SE 8u45 and Java SE Embedded ...) - openjdk-6 (Only affects Java 8) - openjdk-7 (Only affects Java 8) - openjdk-8 8u66-b01-1 CVE-2015-2658 (Unspecified vulnerability in the Web Cache component in Oracle Fusion ...) NOT-FOR-US: Oracle Fusion CVE-2015-2657 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-2656 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2655 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2015-2654 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2653 (Unspecified vulnerability in the Oracle Commerce Guided Search / Oracl ...) NOT-FOR-US: Oracle Commerce CVE-2015-2652 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle E-Business CVE-2015-2651 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Solaris Virtualized NIC Driver CVE-2015-2650 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2015-2649 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Seibel CRM CVE-2015-2648 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3311-1 DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2647 (Unspecified vulnerability in the Enterprise Manager for Oracle Databas ...) NOT-FOR-US: Oracle Database CVE-2015-2646 (Unspecified vulnerability in the Enterprise Manager for Oracle Databas ...) NOT-FOR-US: Oracle Database CVE-2015-2645 (Unspecified vulnerability in the Oracle Web Applications Desktop Integ ...) NOT-FOR-US: Oracle E-Business CVE-2015-2644 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-2643 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3311-1 DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2642 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2641 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2640 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2639 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2638 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; Java ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA CVE-2015-2637 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; Java ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA CVE-2015-2636 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-2635 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-2634 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-2633 (Unspecified vulnerability in the Enterprise Manager Ops Center compone ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2015-2632 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allow ...) {DSA-3725-1 DSA-3339-1 DSA-3316-1 DLA-545-1 DLA-381-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." - icu 55.1-7 NOTE: http://bugs.icu-project.org/trac/ticket/11865 (not yet public) CVE-2015-2631 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Solaris (rmformat) CVE-2015-2630 (Unspecified vulnerability in the Technology stack component in Oracle ...) NOT-FOR-US: Oracle E-Business CVE-2015-2629 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2015-2628 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-2627 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allow ...) - openjdk-6 (Specific to Java client installer) - openjdk-7 (Specific to Java client installer) - openjdk-8 (Specific to Java client installer) CVE-2015-2626 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2625 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRoc ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of JSSE." CVE-2015-2624 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2623 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2015-2622 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2015-2621 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-2620 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 [jessie] - mariadb-10.0 10.0.20-0+deb8u1 NOTE: Possibly related to https://github.com/mysql/mysql-server/commit/fdae90dd NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2619 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, JavaFX 2.2. ...) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) CVE-2015-2618 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business CVE-2015-2617 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2616 (Unspecified vulnerability in Oracle Sun Solaris 3.3 and 4.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2615 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business CVE-2015-2614 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Solaris (NVM Express Driver) CVE-2015-2613 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE ...) {DSA-3339-1 DSA-3316-1} - openjdk-6 (Does not apply to OpenJDK 6.x, only 7.x and 8.x) - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of Java." CVE-2015-2612 (Unspecified vulnerability in the Siebel Core - Server OM Svcs componen ...) NOT-FOR-US: Oracle Seibel CMS CVE-2015-2611 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2610 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business CVE-2015-2609 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Solaris (performance counters) CVE-2015-2608 (Unspecified vulnerability in (1) the Oracle Communications Diameter Si ...) NOT-FOR-US: Oracle Communications Applications CVE-2015-2607 (Unspecified vulnerability in the Oracle Commerce Guided Search / Oracl ...) NOT-FOR-US: Oracle Commerce CVE-2015-2606 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2605 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2604 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2603 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2602 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2601 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, JRoc ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of Java." CVE-2015-2600 (Unspecified vulnerability in the Siebel Core - Server OM Svcs componen ...) NOT-FOR-US: Oracle Siebel CMS CVE-2015-2599 (Unspecified vulnerability in the RDBMS Scheduler component in Oracle D ...) NOT-FOR-US: Oracle Database Server CVE-2015-2598 (Unspecified vulnerability in the mobile app in Oracle Business Intelli ...) NOT-FOR-US: Oracle Fusion CVE-2015-2597 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows local ...) - openjdk-6 (Specific to MacOS X) - openjdk-7 (Specific to MacOS X) - openjdk-8 (Specific to MacOS X) CVE-2015-2596 (Unspecified vulnerability in Oracle Java SE 7u80 allows remote attacke ...) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) CVE-2015-2595 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle Database Server CVE-2015-2594 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3359-1 DLA-313-1} - virtualbox 4.3.30-dfsg-1 (bug #792446) - virtualbox-ose [squeeze] - virtualbox-ose (Bridged networking over wifi is unlikely to be used in production and vulnerability is not a remote one) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixOVIR NOTE: "This issue affects Windows, Linux and Mac OS X hosts only when guests using bridged networking over Wifi." CVE-2015-2593 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion CVE-2015-2592 (Unspecified vulnerability in the Hyperion Enterprise Performance Manag ...) NOT-FOR-US: Oracle Hyperion CVE-2015-2591 (Unspecified vulnerability in the PeopleSoft Enterprise Portal - Intera ...) NOT-FOR-US: PeopleSoft CVE-2015-2590 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-2589 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Solaris CVE-2015-2588 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2015-2587 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CMS CVE-2015-2586 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2015-2585 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2015-2584 (Unspecified vulnerability in the Hyperion Enterprise Performance Manag ...) NOT-FOR-US: Oracle Hyperion CVE-2015-2583 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2582 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3311-1 DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2581 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle Virtualization CVE-2015-2580 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2579 (Unspecified vulnerability in the Oracle Health Sciences Argus Safety c ...) NOT-FOR-US: Oracle CVE-2015-2578 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows remote att ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2577 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2576 (Unspecified vulnerability in the MySQL Utilities component in Oracle M ...) NOT-FOR-US: MySQL Utilities component of MySQL on Windows CVE-2015-2575 (Unspecified vulnerability in the MySQL Connectors component in Oracle ...) {DSA-3621-1 DLA-526-1} - mysql-connector-java 5.1.37-1 CVE-2015-2574 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2573 (Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 5.5.42-1 - mariadb-10.0 10.0.17-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2572 (Unspecified vulnerability in the Oracle Hyperion Smart View for Office ...) NOT-FOR-US: Oracle CVE-2015-2571 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 (bug #782645) [jessie] - mysql-5.5 5.5.43-0+deb8u1 - mariadb-10.0 10.0.19-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2570 (Unspecified vulnerability in the Oracle Demand Planning component in O ...) NOT-FOR-US: Oracle CVE-2015-2569 REJECTED CVE-2015-2568 (Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 5.5.42-1 - mariadb-10.0 10.0.17-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2567 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2566 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2565 (Unspecified vulnerability in the Oracle Installed Base component in Or ...) NOT-FOR-US: Oracle CVE-2015-2564 (SQL injection vulnerability in client-edit.php in ProjectSend (formerl ...) NOT-FOR-US: ProjectSend CVE-2015-2563 (SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 0.9. ...) NOT-FOR-US: Vastal I-Tech phpVID CVE-2015-2562 (Multiple SQL injection vulnerabilities in the Web-Dorado ECommerce WD ...) NOT-FOR-US: Joomla component com_ecommercewd CVE-2015-2561 RESERVED CVE-2015-2560 (Manage Engine Desktop Central 9 before build 90135 allows remote attac ...) NOT-FOR-US: Manage Engine Desktop Central CVE-2015-2558 (Use-after-free vulnerability in Microsoft Excel 2007 SP3, Excel 2010 S ...) NOT-FOR-US: Microsoft CVE-2015-2557 (Buffer overflow in Microsoft Visio 2007 SP3 and 2010 SP2 allows remote ...) NOT-FOR-US: Microsoft CVE-2015-2556 (The InfoPath Forms Services component in Microsoft SharePoint Server 2 ...) NOT-FOR-US: Microsoft CVE-2015-2555 (Use-after-free vulnerability in Microsoft Excel 2010 SP2, Excel 2013 S ...) NOT-FOR-US: Microsoft CVE-2015-2554 (The kernel in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Go ...) NOT-FOR-US: Microsoft Windows CVE-2015-2553 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2552 (The kernel in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Go ...) NOT-FOR-US: Microsoft Windows CVE-2015-2551 REJECTED CVE-2015-2550 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2549 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2548 (Use-after-free vulnerability in the Tablet Input Band in Windows Shell ...) NOT-FOR-US: Microsoft Windows CVE-2015-2547 REJECTED CVE-2015-2546 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2545 (Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1 allows ...) NOT-FOR-US: Microsoft Office CVE-2015-2544 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) i ...) NOT-FOR-US: Microsoft OWA CVE-2015-2543 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) i ...) NOT-FOR-US: Microsoft OWA CVE-2015-2542 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2541 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2540 REJECTED CVE-2015-2539 REJECTED CVE-2015-2538 REJECTED CVE-2015-2537 REJECTED CVE-2015-2536 (Cross-site scripting (XSS) vulnerability in Microsoft Lync Server 2013 ...) NOT-FOR-US: Microsoft Lync CVE-2015-2535 (Active Directory in Microsoft Windows Server 2008 SP2 and R2 SP1 and S ...) NOT-FOR-US: Microsoft Windows CVE-2015-2534 (Hyper-V in Microsoft Windows 8.1, Windows Server 2012 R2, and Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2533 REJECTED CVE-2015-2532 (Cross-site scripting (XSS) vulnerability in Microsoft Lync Server 2013 ...) NOT-FOR-US: Microsoft Lync CVE-2015-2531 (Cross-site scripting (XSS) vulnerability in the jQuery engine in Micro ...) NOT-FOR-US: Microsoft Lync CVE-2015-2530 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2015-2529 (The kernel in Microsoft Windows 8.1, Windows Server 2012 R2, Windows R ...) NOT-FOR-US: Microsoft Windows CVE-2015-2528 (Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Win ...) NOT-FOR-US: Microsoft Windows CVE-2015-2527 (The process-initialization implementation in win32k.sys in the kernel- ...) NOT-FOR-US: Microsoft Windows CVE-2015-2526 (Microsoft .NET Framework 4.5, 4.5.1, 4.5.2, and 4.6 allows remote atta ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2525 (Task Scheduler in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2524 (Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Win ...) NOT-FOR-US: Microsoft Windows CVE-2015-2523 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft Excel CVE-2015-2522 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Found ...) NOT-FOR-US: Microsoft SharePoint CVE-2015-2521 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Office Compatibility Pack SP ...) NOT-FOR-US: Microsoft Excel CVE-2015-2520 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel for Mac 2011 and 2016, ...) NOT-FOR-US: Microsoft Excel CVE-2015-2519 (Integer overflow in Windows Journal in Microsoft Windows Vista SP2, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2015-2518 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2517 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2516 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2015-2515 (Use-after-free vulnerability in Windows Shell in Microsoft Windows Vis ...) NOT-FOR-US: Microsoft Windows CVE-2015-2514 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2015-2513 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2015-2512 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2511 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2510 (Buffer overflow in the Adobe Type Manager Library in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2509 (Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2015-2508 (The Adobe Type Manager Library in Microsoft Windows 10 allows local us ...) NOT-FOR-US: Microsoft Windows CVE-2015-2507 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2506 (atmfd.dll in the Adobe Type Manager Library in Microsoft Windows Vista ...) NOT-FOR-US: Microsoft Windows CVE-2015-2505 (Outlook Web Access (OWA) in Microsoft Exchange Server 2013 Cumulative ...) NOT-FOR-US: Microsoft Exchange CVE-2015-2504 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, 4.5.2, an ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2503 (Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote ...) NOT-FOR-US: Microsoft CVE-2015-2502 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2501 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2500 (Microsoft Internet Explorer 7 and 8 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2499 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2498 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2497 REJECTED CVE-2015-2496 REJECTED CVE-2015-2495 REJECTED CVE-2015-2494 (Microsoft Internet Explorer 7 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2493 (The (1) VBScript and (2) JScript engines in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2492 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2491 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2490 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2489 (Microsoft Internet Explorer 11 allows remote attackers to gain privile ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2488 REJECTED CVE-2015-2487 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2486 (Microsoft Internet Explorer 7 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2485 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2484 (Microsoft Internet Explorer 10 and 11 uses an incorrect flag during ce ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2483 (Microsoft Internet Explorer 10 and 11 allows remote attackers to obtai ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2482 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2481 (The RyuJIT compiler in Microsoft .NET Framework 4.6 produces incorrect ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2480 (The RyuJIT compiler in Microsoft .NET Framework 4.6 produces incorrect ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2479 (The RyuJIT compiler in Microsoft .NET Framework 4.6 produces incorrect ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2478 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2477 (Microsoft Office 2007 SP3, Office for Mac 2011, Office for Mac 2016, a ...) NOT-FOR-US: Microsoft Office CVE-2015-2476 (The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2475 (Cross-site scripting (XSS) vulnerability in uddi/search/frames.aspx in ...) NOT-FOR-US: Microsoft Windows CVE-2015-2474 (Microsoft Windows Vista SP2 and Server 2008 SP2 allow remote authentic ...) NOT-FOR-US: Microsoft Windows CVE-2015-2473 (Untrusted search path vulnerability in the client in Remote Desktop Pr ...) NOT-FOR-US: Microsoft Windows CVE-2015-2472 (Remote Desktop Session Host (RDSH) in Remote Desktop Protocol (RDP) th ...) NOT-FOR-US: Microsoft Windows CVE-2015-2471 (Microsoft XML Core Services 3.0, 5.0, and 6.0 supports SSL 2.0, which ...) NOT-FOR-US: Microsoft XML Core Services CVE-2015-2470 (Integer underflow in Microsoft Office 2007 SP3, Office 2010 SP2, Offic ...) NOT-FOR-US: Microsoft Office CVE-2015-2469 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, and Office fo ...) NOT-FOR-US: Microsoft Office CVE-2015-2468 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft Office CVE-2015-2467 (Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Microsoft Office CVE-2015-2466 (Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1 allows ...) NOT-FOR-US: Microsoft Office CVE-2015-2465 (The Windows shell in Microsoft Windows Vista SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2464 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2463 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2462 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2461 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2460 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2459 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2458 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2457 REJECTED CVE-2015-2456 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2455 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2454 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2453 (The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows Vist ...) NOT-FOR-US: Microsoft Windows CVE-2015-2452 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2451 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2450 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2449 (Microsoft Internet Explorer 7 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2448 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2447 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2446 (Microsoft Internet Explorer 11 and Edge allow remote attackers to exec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2445 (Microsoft Internet Explorer 10 allows remote attackers to bypass the A ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2444 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2443 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2442 (Microsoft Internet Explorer 8 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2441 (Microsoft Internet Explorer 7 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2440 (Microsoft XML Core Services 3.0, 5.0, and 6.0 allows remote attackers ...) NOT-FOR-US: Mirosoft XML Core Services CVE-2015-2439 REJECTED CVE-2015-2438 REJECTED CVE-2015-2437 REJECTED CVE-2015-2436 REJECTED CVE-2015-2435 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2434 (Microsoft XML Core Services 3.0 and 5.0 supports SSL 2.0, which makes ...) NOT-FOR-US: Mirosoft XML Core Services CVE-2015-2433 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2432 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2431 (Microsoft Office 2007 SP3 and 2010 SP2, Live Meeting 2007 Console, Lyn ...) NOT-FOR-US: Mirosoft Office CVE-2015-2430 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2429 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2428 (Object Manager in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2427 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft CVE-2015-2426 (Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Librar ...) NOT-FOR-US: Microsoft Adobe Type Manager Library CVE-2015-2425 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2424 (Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Wor ...) NOT-FOR-US: Microsoft CVE-2015-2423 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2422 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2421 (Microsoft Internet Explorer 6 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2420 (Cross-site scripting (XSS) vulnerability in Microsoft System Center 20 ...) NOT-FOR-US: Microsoft System Center CVE-2015-2419 (JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attac ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2418 (Race condition in Microsoft Malicious Software Removal Tool (MSRT) bef ...) NOT-FOR-US: Microsoft MSRT CVE-2015-2417 (OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2015-2416 (OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2015-2415 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft Excel CVE-2015-2414 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ob ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2413 (Microsoft Internet Explorer 6 through 11 allows remote attackers to de ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2412 (Microsoft Internet Explorer 10 and 11 allows remote attackers to read ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2411 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2410 (Microsoft Internet Explorer 6 through 11 allows remote attackers to de ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2409 REJECTED CVE-2015-2408 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2407 REJECTED CVE-2015-2406 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2405 REJECTED CVE-2015-2404 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2403 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2402 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2401 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2400 REJECTED CVE-2015-2399 REJECTED CVE-2015-2398 (Microsoft Internet Explorer 8 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2397 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2396 REJECTED CVE-2015-2395 REJECTED CVE-2015-2394 REJECTED CVE-2015-2393 REJECTED CVE-2015-2392 REJECTED CVE-2015-2391 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2390 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2389 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2388 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2387 (ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2015-2386 REJECTED CVE-2015-2385 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2384 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2383 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2382 (win32k.sys in the kernel-mode drivers in Microsoft Windows 8, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2381 (win32k.sys in the kernel-mode drivers in Microsoft Windows 8, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2380 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft Office CVE-2015-2379 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft Office CVE-2015-2378 (Untrusted search path vulnerability in Microsoft Excel 2007 SP3, Excel ...) NOT-FOR-US: Microsoft Excel CVE-2015-2377 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft Excel CVE-2015-2376 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft Excel CVE-2015-2375 (Microsoft Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel Vie ...) NOT-FOR-US: Microsoft Excel CVE-2015-2374 (The Netlogon service in Microsoft Windows Server 2003 SP2 and R2 SP2, ...) NOT-FOR-US: Microsoft Windows CVE-2015-2373 (The Remote Desktop Protocol (RDP) server service in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2372 (vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Inter ...) NOT-FOR-US: Microsoft VBScript CVE-2015-2371 (The Windows Installer service in Microsoft Windows Server 2003 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2370 (The authentication implementation in the RPC subsystem in Microsoft Wi ...) NOT-FOR-US: Microsoft Windows CVE-2015-2369 (Untrusted search path vulnerability in Windows Media Device Manager in ...) NOT-FOR-US: Microsoft Windows CVE-2015-2368 (Untrusted search path vulnerability in Microsoft Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft Windows CVE-2015-2367 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2366 (win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1, Wind ...) NOT-FOR-US: Microsoft Windows CVE-2015-2365 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2364 (The graphics component in Microsoft Windows Server 2003 SP2 and R2 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2363 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2362 (Hyper-V in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 8, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2015-2361 (Hyper-V in Microsoft Windows 8.1 and Windows Server 2012 R2 does not p ...) NOT-FOR-US: Microsoft Windows CVE-2015-2360 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-2359 (Cross-site scripting (XSS) vulnerability in the web applications in Mi ...) NOT-FOR-US: Microsoft Exchange Server CVE-2015-2358 RESERVED CVE-2015-2357 RESERVED CVE-2015-2356 RESERVED CVE-2015-2355 RESERVED CVE-2015-2354 RESERVED CVE-2015-2353 RESERVED CVE-2015-2352 (The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not ...) NOT-FOR-US: MyBB CVE-2015-2351 (Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms ...) NOT-FOR-US: Alkacon OpenCms CVE-2015-2350 (Cross-site request forgery (CSRF) vulnerability in MikroTik RouterOS 5 ...) NOT-FOR-US: MikroTik RouterOS CVE-2015-2349 (Cross-site scripting (XSS) vulnerability in defaultnewsletter.php in S ...) NOT-FOR-US: SuperWebMailer CVE-2015-2686 (net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate ...) - linux (Introduced in 3.19, never uploaded to unstable) - linux-2.6 (Introduced in 3.19, never uploaded to unstable) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4de930efc23b92ddf88ce91c405ee645fe6e27ea CVE-2015-XXXX [Insufficient escaping in user manager allows XSS attack] - dokuwiki 0.0.20140929.d-1 (bug #780817) [jessie] - dokuwiki (Minor issue) [wheezy] - dokuwiki (Minor issue) [squeeze] - dokuwiki (Minor issue) CVE-2015-6674 (Buffer underflow vulnerability in the Debian inspircd package before 2 ...) {DSA-3226-1 DLA-276-1} - inspircd 2.0.16-1 (bug #780880) NOTE: Correct fix: https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89 NOTE: https://www.openwall.com/lists/oss-security/2015/03/29/5 CVE-2015-2788 (Multiple stack-based buffer overflows in the ib_fill_isqlda function i ...) {DSA-3219-1} - libdbd-firebird-perl 1.18-2 (bug #780925) NOTE: https://www.openwall.com/lists/oss-security/2015/03/30/4 CVE-2015-4148 (The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5 ...) {DLA-307-1} - php5 5.6.7+dfsg-1 [wheezy] - php5 5.4.39-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69085 NOTE: https://www.openwall.com/lists/oss-security/2015/03/20/14 CVE-2015-4147 (The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, ...) {DLA-307-1} - php5 5.6.7+dfsg-1 [wheezy] - php5 5.4.39-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69085 NOTE: https://www.openwall.com/lists/oss-security/2015/03/20/14 CVE-2015-2779 (Stack consumption vulnerability in the message splitting functionality ...) - quassel 1:0.10.0-2.3 (bug #781024) [wheezy] - quassel (According to upstream issue isn't triggerable in 0.8) [squeeze] - quassel (According to upstream issue isn't triggerable in 0.6) NOTE: https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8 NOTE: https://www.openwall.com/lists/oss-security/2015/03/20/12 CVE-2015-2778 (Quassel before 0.12-rc1 uses an incorrect data-type size when splittin ...) - quassel 1:0.10.0-2.3 (bug #781024) [wheezy] - quassel (According to upstream issue isn't triggerable in 0.8) [squeeze] - quassel (According to upstream issue isn't triggerable in 0.6) NOTE: https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8 NOTE: https://www.openwall.com/lists/oss-security/2015/03/20/12 CVE-2015-2348 (The move_uploaded_file implementation in ext/standard/basic_functions. ...) {DSA-3198-1 DLA-444-1} - php5 5.6.7+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69207 CVE-2015-2347 (Cross-site scripting (XSS) vulnerability in Huawei SEQ Analyst before ...) NOT-FOR-US: Huawei SEQ Analyst CVE-2015-2346 (XML external entity (XXE) vulnerability in Huawei SEQ Analyst before V ...) NOT-FOR-US: Huawei CVE-2015-2345 REJECTED CVE-2015-2344 (Cross-site scripting (XSS) vulnerability in VMware vRealize Automation ...) NOT-FOR-US: VMware vRealize Automation CVE-2015-2343 REJECTED CVE-2015-2342 (The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 befor ...) NOT-FOR-US: VMware CVE-2015-2341 (VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.6, ...) NOT-FOR-US: VMware CVE-2015-2340 (TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11. ...) NOT-FOR-US: VMware CVE-2015-2339 (TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11 ...) NOT-FOR-US: VMware CVE-2015-2338 (TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11 ...) NOT-FOR-US: VMware CVE-2015-2337 (TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11. ...) NOT-FOR-US: VMware CVE-2015-2336 (TPView.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11 ...) NOT-FOR-US: VMware CVE-2015-2335 (A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remot ...) NOT-FOR-US: MyBB CVE-2015-2334 (Cross-site request forgery (CSRF) vulnerability in the Admin Control P ...) NOT-FOR-US: MyBB CVE-2015-2333 (Cross-site scripting (XSS) vulnerability in the MyCode editor in MyBB ...) NOT-FOR-US: MyBB CVE-2015-2332 (Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka My ...) NOT-FOR-US: MyBB CVE-2015-2559 (Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated ...) {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549 CVE-2015-2750 (Open redirect vulnerability in URL-related API functions in Drupal 6.x ...) {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 NOTE: http://cgit.drupalcode.org/drupal/commit/includes/menu.inc?h=6.x&id=8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93 NOTE: http://cgit.drupalcode.org/drupal/commit/includes/common.inc?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8 CVE-2015-2749 (Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7 ...) {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 NOTE: https://www.openwall.com/lists/oss-security/2015/03/19/5 CVE-2015-2329 (Cross-site scripting (XSS) vulnerability in the WooCommerce plugin bef ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2015-2328 (PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related ...) - mongodb (unimportant) NOTE: CVE for bundled version of pcre3 in mongodb NOTE: https://jira.mongodb.org/browse/SERVER-17252 NOTE: Since 1:2.0.0-1 mongodb uses the system pcre3 - pcre3 2:8.35-7.2 (low) [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1515 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1498 NOTE: https://www.openwall.com/lists/oss-security/2015/05/31/4 CVE-2015-2327 (PCRE before 8.36 mishandles the /(((a\2)|(a*)\g<-1>))*/ pattern ...) - mongodb (unimportant) NOTE: CVE for bundled version of pcre3 in mongodb NOTE: https://jira.mongodb.org/browse/SERVER-17252 NOTE: Since 1:2.0.0-1 mongodb uses the system pcre3 - pcre3 2:8.35-7.2 (low) [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1503 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1495 NOTE: https://www.openwall.com/lists/oss-security/2015/05/31/5 CVE-2015-2326 (The pcre_compile2 function in PCRE before 8.37 allows context-dependen ...) - pcre3 2:8.35-7.2 (bug #783285) [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Vulnerable code introuced while refactoring between 8.33 and 8.36) [squeeze] - pcre3 (Vulnerable code introuced while refactoring between 8.33 and 8.36) NOTE: http://bugs.exim.org/show_bug.cgi?id=1592 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1529 NOTE: Reproduced invalid read in pcre3/2:8.35-3.3 NOTE: Issue introduced as a side effect of refactoring happened between 8.33 and 8.36 CVE-2015-2325 (The compile_branch function in PCRE before 8.37 allows context-depende ...) - pcre3 2:8.35-7.2 (unimportant; bug #781795) [jessie] - pcre3 2:8.35-3.3+deb8u1 NOTE: http://bugs.exim.org/show_bug.cgi?id=1591 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1528 NOTE: Reproducer leads to "Failed: internal error: previously-checked referenced subpattern not found at offset 17" NOTE: Upstream claims that it should though be the same bug: NOTE: http://bugs.exim.org/show_bug.cgi?id=1591#c1 NOTE: Comment from upstream: Probably every version since the support for forward referencing NOTE: was introduced is affected. CVE-2015-2324 (Cross-site scripting (XSS) vulnerability in the filemanager in the Pho ...) NOT-FOR-US: filemanager in the Photo Gallery plugin for WordPress CVE-2015-2323 (FortiOS 5.0.x before 5.0.12 and 5.2.x before 5.2.4 supports anonymous, ...) NOT-FOR-US: FortiOS CVE-2015-2322 RESERVED CVE-2015-2321 (Cross-site scripting (XSS) vulnerability in the Job Manager plugin 0.7 ...) NOT-FOR-US: WordPress plugin job-mnager CVE-2015-2317 (The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1. ...) {DSA-3204-1 DLA-272-1} - python-django 1.7.7-1 (bug #780873) [squeeze] - python-django (Minor issue, can wait next security upload) NOTE: https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b (1.4.x) NOTE: https://github.com/django/django/commit/2a4113dbd532ce952308992633d802dc169a75f1 (1.7.x) CVE-2015-2316 (The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7. ...) - python-django 1.7.7-1 (bug #780874) [wheezy] - python-django (vulnerable code not present) [squeeze] - python-django (vulnerable code not present) NOTE: https://github.com/django/django/commit/e63363f8e075fa8d66326ad6a1cc3391cc95cd97 (1.7.x) CVE-2015-2315 (Cross-site scripting (XSS) vulnerability in the WPML plugin before 3.1 ...) NOT-FOR-US: WordPress plugin wpml CVE-2015-2314 (SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPr ...) NOT-FOR-US: WordPress plugin wpml CVE-2015-XXXX [nasal scripts can ready any file] - flightgear-data 3.0.0-3 (bug #780716) CVE-2015-XXXX [permissive file access allowed from nasal] - flightgear 3.0.0-5 (bug #780712) [squeeze] - flightgear 1.9.1-1.1+deb6u11 NOTE: workaround entry for DLA 318-1 until/if CVE assigned CVE-2015-2666 (Stack-based buffer overflow in the get_matching_model_microcode functi ...) - linux 3.16.7-ckt9-1 [wheezy] - linux (Introduced in 3.9) - linux-2.6 (Introduced in 3.9) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ec400ddeff200b068ddc6c70f7321f49ecf32ed5 (v3.9-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4 (v4.0-rc1) NOTE: https://www.openwall.com/lists/oss-security/2015/03/18/7 CVE-2015-2684 (Shibboleth Service Provider (SP) before 2.5.4 allows remote authentica ...) {DSA-3207-1 DLA-259-1} - shibboleth-sp2 2.5.3+dfsg-2 NOTE: http://shibboleth.net/community/advisories/secadv_20150319.txt CVE-2015-2672 (The xsave/xrstor implementation in arch/x86/include/asm/xsave.h in the ...) - linux - linux-2.6 NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f31a9f7c71691569359fa7fb8b0acaa44bce0324 (v3.17-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=06c8173eb92bbfc03a0fe8bb64315857d0badd06 (v4.0-rc3) NOTE: https://www.openwall.com/lists/oss-security/2015/03/18/6 CVE-2015-2331 (Integer overflow in the _zip_cdir_new function in zip_dirent.c in libz ...) {DSA-3198-1 DLA-212-1} - php5 5.6.7+dfsg-1 (bug #780713) - libzip 0.11.2-1.2 (bug #780756) [wheezy] - libzip (Vulnerable code introduced with added Zip64 support in 0.11) [squeeze] - libzip (Vulnerable code introduced with added Zip64 support in 0.11) NOTE: https://bugs.php.net/bug.php?id=69253 NOTE: https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 NOTE: https://www.openwall.com/lists/oss-security/2015/03/18/1 NOTE: libzip patch: http://hg.nih.at/libzip/rev/9f11d54f692e CVE-2015-2330 (Late TLS certificate verification in WebKitGTK+ prior to 2.6.6 allows ...) - webkitgtk 2.4.9-1 (unimportant) [jessie] - webkitgtk 2.4.9-1~deb8u1 NOTE: Not covered by security support CVE-2015-2309 [Unsafe methods in the Request class] RESERVED - symfony 2.3.21+dfsg-4 CVE-2015-2308 (Eval injection vulnerability in the HttpCache class in HttpKernel in S ...) - symfony 2.3.21+dfsg-4 CVE-2015-2307 RESERVED CVE-2015-2306 RESERVED CVE-2015-2320 (The TLS stack in Mono before 3.12.1 allows remote attackers to have un ...) {DSA-3202-1 DLA-176-1} - mono 3.2.8+dfsg-10 (bug #780751) NOTE: https://github.com/mono/mono/commit/b371da6b2d68b4cdd0f21d6342af6c42794f998b CVE-2015-2319 (The TLS stack in Mono before 3.12.1 makes it easier for remote attacke ...) {DSA-3202-1 DLA-176-1} - mono 3.2.8+dfsg-10 (bug #780751) NOTE: https://github.com/mono/mono/commit/9c38772f094168d8bfd5bc73bf8925cd04faad10 NOTE: Patch for versions earlier than 3.4: https://gist.github.com/directhex/728af6f96d1b8c976659 CVE-2015-2318 (The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers ...) {DSA-3202-1 DLA-176-1} - mono 3.2.8+dfsg-10 (bug #780751) NOTE: https://github.com/mono/mono/commit/1509226c41d74194c146deb173e752b8d3cdeec4 NOTE: Patch for versions earlier than 3.4: https://gist.github.com/directhex/f8c6e67f551d8a608154 CVE-2015-2303 REJECTED CVE-2015-2302 REJECTED CVE-2015-2300 RESERVED CVE-2015-2299 RESERVED CVE-2015-2295 (Cross-site request forgery (CSRF) vulnerability in system_firmware_res ...) NOT-FOR-US: pfSense CVE-2015-2294 (Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in p ...) NOT-FOR-US: pfSense CVE-2015-2293 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin/cl ...) NOT-FOR-US: WordPress plugin wordpress-seo CVE-2015-2292 (Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list ...) NOT-FOR-US: WordPress plugin wordpress-seo CVE-2015-2291 ((1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the ...) NOT-FOR-US: Intel Ethernet diagnostics driver for Windows CVE-2015-2290 RESERVED CVE-2015-2288 RESERVED CVE-2015-2313 (Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x before 0.5.1.2, when an ...) - capnproto 0.4.1-3 (bug #780568) CVE-2015-2312 (Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x before 0.5.1.1 allows r ...) - capnproto 0.4.1-3 (bug #780567) CVE-2015-2311 (Integer underflow in Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x be ...) - capnproto 0.4.1-3 (bug #780566) CVE-2015-2310 (Integer overflow in layout.c++ in Sandstorm Cap'n Proto before 0.4.1.1 ...) - capnproto 0.4.1-3 (bug #780565) CVE-2015-8856 (Cross-site scripting (XSS) vulnerability in the serve-index package be ...) - node-serve-index 1.9.1-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/serve-static-xss NOTE: https://github.com/expressjs/serve-index/issues/28 CVE-2015-8903 (The ReadVICARImage function in coders/vicar.c in ImageMagick 6.x befor ...) {DLA-960-1} [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick 8:6.8.9.9-6 (low) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933 NOTE: http://web.archive.org/web/20150428140926/http://trac.imagemagick.org/changeset/17856 CVE-2015-8902 (The ReadBlobByte function in coders/pdb.c in ImageMagick 6.x before 6. ...) {DLA-960-1} [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick 8:6.8.9.9-6 (low) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932 NOTE: http://web.archive.org/web/20150428145652/http://trac.imagemagick.org/changeset/17855 CVE-2015-8901 (ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a ...) {DLA-960-1} [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick 8:6.8.9.9-6 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931 CVE-2015-8900 (The ReadHDRImage function in coders/hdr.c in ImageMagick 6.x and 7.x a ...) {DLA-960-1} [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick 8:6.8.9.9-6 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26929 NOTE: http://web.archive.org/web/20150501030131/http://trac.imagemagick.org/changeset/17845 NOTE: http://web.archive.org/web/20150429001241/http://trac.imagemagick.org/changeset/17846 CVE-2015-XXXX [Incomplete fix for CVE-2014-7940] - icu 52.1-8 (bug #780503) [wheezy] - icu (Incomplete patch was never applied) [squeeze] - icu (Incomplete patch was never applied) CVE-2015-2298 (node/utils/ExportEtherpad.js in Etherpad 1.5.x before 1.5.2 might allo ...) - etherpad-lite (bug #576998) NOTE: https://github.com/ether/etherpad-lite/commit/a0fb65205c7d7ff95f00eb9fd88e93b300f30c3d CVE-2015-2296 (The resolve_redirects function in sessions.py in requests 2.1.0 throug ...) - requests 2.4.3-6 (bug #780506) [wheezy] - requests (Vulnerable code introduced in 2.1.0) NOTE: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc CVE-2015-2289 (Cross-site scripting (XSS) vulnerability in templates/2k11/admin/entri ...) - serendipity CVE-2015-2287 REJECTED CVE-2015-2286 (lms/templates/footer-edx-new.html in Open edX edx-platform before 2015 ...) NOT-FOR-US: Open edX CVE-2015-2285 (The logrotation script (/etc/cron.daily/upstart) in the Ubuntu Upstart ...) - upstart (Vulnerable cron.daily script not present) CVE-2015-2284 (userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before 6.6 ...) NOT-FOR-US: SolarWinds Firewall Security Manager CVE-2015-2674 (Restkit allows man-in-the-middle attackers to spoof TLS servers by lev ...) - python-restkit (bug #781813) [stretch] - python-restkit (Minor issue) [jessie] - python-restkit (Minor issue) [wheezy] - python-restkit (Minor issue) [squeeze] - python-restkit (Minor issue) NOTE: https://github.com/benoitc/restkit/issues/140 NOTE: https://www.openwall.com/lists/oss-security/2015/03/12/9 CVE-2015-2283 RESERVED CVE-2015-2282 (Stack-based buffer overflow in the LZC decompression implementation (C ...) NOT-FOR-US: SAP CVE-2015-2281 (Stack-based buffer overflow in collectoragent.exe in Fortinet Single S ...) NOT-FOR-US: Fortinet Single Sign On CVE-2015-2280 (snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network ...) NOT-FOR-US: AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera CVE-2015-2279 (cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with fi ...) NOT-FOR-US: AirLive CVE-2015-2278 (The LZH decompression implementation (CsObjectInt::BuildHufTree functi ...) NOT-FOR-US: SAP CVE-2015-2277 RESERVED CVE-2015-2276 RESERVED CVE-2015-2275 (Cross-site scripting (XSS) vulnerability in WoltLab Community Gallery ...) NOT-FOR-US: WoltLab Community Gallery CVE-2015-2274 RESERVED CVE-2015-2273 (Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49364 CVE-2015-2272 (login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x bef ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691 CVE-2015-2271 (tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49084 CVE-2015-2270 (lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x b ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48804 CVE-2015-2269 (Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript- ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49144 CVE-2015-2268 (filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6. ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38466 CVE-2015-2267 (mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087 CVE-2015-2266 (message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x b ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49204 CVE-2015-2264 (Multiple untrusted search path vulnerabilities in (1) EQATEC.Analytics ...) NOT-FOR-US: Telerik Analytics Monitor Library CVE-2015-2263 (Cloudera Manager 4.x, 5.0.x before 5.0.6, 5.1.x before 5.1.5, 5.2.x be ...) NOT-FOR-US: Cloudera CVE-2015-2262 RESERVED CVE-2015-2261 RESERVED CVE-2015-2260 RESERVED CVE-2015-2259 RESERVED CVE-2015-2258 RESERVED CVE-2015-2257 RESERVED CVE-2015-2256 RESERVED CVE-2015-2255 (Huawei AR1220 routers with software before V200R005SPH006 allow remote ...) NOT-FOR-US: Huawei CVE-2015-2254 (Huawei OceanStor UDS devices with software before V100R002C01SPC102 mi ...) NOT-FOR-US: Huawei OceanStor UDS devices CVE-2015-2253 (The XML interface in Huawei OceanStor UDS devices with software before ...) NOT-FOR-US: Huawei CVE-2015-2252 (Huawei OceanStor UDS devices with software before V100R002C01SPC102 mi ...) NOT-FOR-US: Huawei CVE-2015-2251 (The DeviceManager in Huawei OceanStor UDS devices with software before ...) NOT-FOR-US: Huawei CVE-2015-2250 (Multiple cross-site scripting (XSS) vulnerabilities in concrete5 befor ...) NOT-FOR-US: concrete5 CVE-2015-2249 (Zimbra Collaboration before 8.6.0 patch5 has XSS. ...) NOT-FOR-US: Zimbra Collaboration CVE-2015-2248 (Cross-site request forgery (CSRF) vulnerability in the user portal in ...) NOT-FOR-US: Dell SonicWALL CVE-2015-2247 (Unspecified vulnerability in Boosted Boards skateboards allows physica ...) NOT-FOR-US: Boosted Boards skateboards CVE-2015-2246 (The MeWidget module on Huawei P7 smartphones with software P7-L10 V100 ...) NOT-FOR-US: Huawei CVE-2015-2245 (Huawei Ascend P7 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Huawei CVE-2015-2244 (Multiple cross-site scripting (XSS) vulnerabilities in Webshop hun 1.0 ...) NOT-FOR-US: Webshop hun CVE-2015-2243 (Directory traversal vulnerability in Webshop hun 1.062S allows remote ...) NOT-FOR-US: Webshop hun CVE-2015-2242 (Multiple SQL injection vulnerabilities in Webshop hun 1.062S allow rem ...) NOT-FOR-US: Webshop hun CVE-2015-XXXX [several security vulnerabilities and network packets can terminate the connection] - armagetronad 0.2.8.3.2-4 (bug #780178) [wheezy] - armagetronad (Minor issue) [squeeze] - armagetronad (Minor issue) CVE-2015-2301 (Use-after-free vulnerability in the phar_rename_archive function in ph ...) {DSA-3198-1 DLA-212-1} - php5 5.6.6+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68901 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b NOTE: https://www.openwall.com/lists/oss-security/2015/03/10/6 CVE-2015-2265 (The remove_bad_chars function in utils/cups-browsed.c in cups-filters ...) - cups-filters 1.0.61-5 (bug #780267) [wheezy] - cups-filters (vulnerable code not present) NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=1265 NOTE: https://www.openwall.com/lists/oss-security/2015/03/09/5 CVE-2015-2241 (Cross-site scripting (XSS) vulnerability in the contents function in a ...) - python-django 1.7.6-1 [wheezy] - python-django (Only affects 1.7.x and 1.8.x) [squeeze] - python-django (Only affects 1.7.x and 1.8.x) NOTE: https://www.djangoproject.com/weblog/2015/mar/09/security-releases/ CVE-2015-2240 RESERVED CVE-2015-2239 (Google Chrome before 41.0.2272.76, when Instant Extended mode is used, ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-2238 (Multiple unspecified vulnerabilities in Google V8 before 4.1.0.21, as ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-2237 (Multiple SQL injection vulnerabilities in Betster (aka PHP Betoffice) ...) NOT-FOR-US: Betster CVE-2015-2236 RESERVED CVE-2015-2235 REJECTED CVE-2015-2234 (Race condition in Lenovo System Update (formerly ThinkVantage System U ...) NOT-FOR-US: Lenovo System Update CVE-2015-2233 (Lenovo System Update (formerly ThinkVantage System Update) before 5.06 ...) NOT-FOR-US: Lenovo System Update CVE-2015-2232 RESERVED CVE-2015-2231 RESERVED CVE-2015-2230 (Synacor Zimbra Collaboration Server 8.x before 8.7.0 has Reflected XSS ...) NOT-FOR-US: Synacor Zimbra Collaboration Server CVE-2015-2229 RESERVED CVE-2015-2228 RESERVED CVE-2015-2227 RESERVED CVE-2015-2226 RESERVED CVE-2015-2225 RESERVED CVE-2015-2224 RESERVED CVE-2015-2223 (Multiple cross-site scripting (XSS) vulnerabilities in the web-based c ...) NOT-FOR-US: Palo Alto Networks Traps CVE-2015-2222 (ClamAV before 0.98.7 allows remote attackers to cause a denial of serv ...) {DLA-233-1} - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/8aeedf3c4282bc916d6f6c290e1e530d125ec953 CVE-2015-2221 (ClamAV before 0.98.7 allows remote attackers to cause a denial of serv ...) {DLA-233-1} - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/0844d0cfe118b4041ed8e2ee49ff18bfbca8eaa5 NOTE: https://github.com/vrtadmin/clamav-devel/commit/26b19809fb3b940cb0fda0422d685fff02a53b5f CVE-2015-2220 (Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2015-2219 (Lenovo System Update (formerly ThinkVantage System Update) before 5.06 ...) NOT-FOR-US: Lenovo System Update CVE-2015-2218 (Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_sav ...) NOT-FOR-US: wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin for WordPress CVE-2015-2217 (Multiple cross-site scripting (XSS) vulnerabilities in Ultimate PHP Bo ...) NOT-FOR-US: myUPB CVE-2015-2216 (SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme ...) NOT-FOR-US: Photocrati theme for WordPress CVE-2015-2215 (Open redirect vulnerability in the Services single sign-on server help ...) NOT-FOR-US: Drupal module Services single sign-on server helper CVE-2015-2214 (NetCat 5.01 and earlier allows remote attackers to obtain the installa ...) NOT-FOR-US: NetCat CMS CVE-2015-2213 (SQL injection vulnerability in the wp_untrash_post_comments function i ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.4+dfsg-1 (bug #794560) NOTE: https://core.trac.wordpress.org/changeset/33555 NOTE: https://core.trac.wordpress.org/changeset/33556 CVE-2015-2212 REJECTED CVE-2015-2211 RESERVED CVE-2015-XXXX [tcllib XSS] - tcllib 1.16-dfsg-2 (low; bug #780100) [wheezy] - tcllib 1.14-dfsg-3+deb7u1 [squeeze] - tcllib (Minor issue) CVE-2015-2210 (The help window in Epicor CRS Retail Store before 3.2.03.01.008 allows ...) NOT-FOR-US: Epicor CRS Retail Store CVE-2015-2209 (DLGuard 4.5 allows remote attackers to obtain the installation path vi ...) NOT-FOR-US: DLGuard CVE-2015-2208 (The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remo ...) NOT-FOR-US: phpMoAdmin CVE-2015-2207 (Multiple cross-site scripting (XSS) vulnerabilities in NetCracker Reso ...) NOT-FOR-US: NetCracker Resource Management System CVE-2015-2206 (libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2 ...) {DSA-3382-1 DLA-336-1} - phpmyadmin 4:4.4.4-1 (unimportant) NOTE: Hardening, not a concrete issue itself NOTE: https://www.phpmyadmin.net/security/PMASA-2015-1/ CVE-2015-2205 RESERVED CVE-2015-2202 RESERVED CVE-2015-2201 RESERVED CVE-2015-2200 RESERVED CVE-2015-2199 (Multiple SQL injection vulnerabilities in the WonderPlugin Audio Playe ...) NOT-FOR-US: WonderPlugin Audio Player plugin for WordPress CVE-2015-2198 (Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php ...) NOT-FOR-US: Beehive Forum CVE-2015-2197 (Cross-site scripting (XSS) vulnerability in the Entity API module befo ...) NOT-FOR-US: Entity module for Drupal CVE-2015-2196 (SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPre ...) NOT-FOR-US: Spider Event Calender CVE-2015-2195 (Multiple cross-site scripting (XSS) vulnerabilities in the WP Media Cl ...) NOT-FOR-US: WP Media Cleaner plugin for WordPress CVE-2015-2194 (Unrestricted file upload vulnerability in the fusion_options function ...) NOT-FOR-US: fusion_options function in functions.php in the Fusion theme for WordPress CVE-2015-2193 RESERVED CVE-2015-2675 (The OAuth implementation in librest before 0.7.93 incorrectly truncate ...) - librest 0.7.92-3 (bug #780101) [wheezy] - librest (rest_proxy_call_get_url not yet used) [squeeze] - librest (rest_proxy_call_get_url not yet used) NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=742644 NOTE: Commit: https://git.gnome.org/browse/librest/commit/?id=b50ace7738ea038 NOTE: https://www.openwall.com/lists/oss-security/2015/03/04/6 CVE-2015-2204 (Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 all ...) NOT-FOR-US: Evergreen library CVE-2015-2203 (Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users wi ...) NOT-FOR-US: Evergreen library CVE-2015-2192 (Integer overflow in the dissect_osd2_cdb_continuation function in epan ...) - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11024 CVE-2015-2191 (Integer overflow in the dissect_tnef function in epan/dissectors/packe ...) {DSA-3210-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-4 (bug #780372) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11023 CVE-2015-2190 (epan/proto.c in Wireshark 1.12.x before 1.12.4 does not properly handl ...) - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10983 CVE-2015-2189 (Off-by-one error in the pcapng_read function in wiretap/pcapng.c in th ...) {DSA-3210-1} - wireshark 1.12.1+g01b65bf-4 (bug #780372) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895 CVE-2015-2188 (epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x ...) {DSA-3210-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-4 (bug #780372) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10844 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-07.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b204ff4846fe84b7789893c6b1d9afbdecac5b5d CVE-2015-2187 (The dissect_atn_cpdlc_heur function in asn1/atn-cpdlc/packet-atn-cpdlc ...) - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9952 CVE-2015-2186 (The Ansible edxapp role in the Configuration Repo in edX allows remote ...) NOT-FOR-US: edX CVE-2015-2185 RESERVED CVE-2015-2184 (ZeusCart 4 allows remote attackers to obtain configuration information ...) NOT-FOR-US: ZeusCart CVE-2015-2183 (Multiple SQL injection vulnerabilities in the administrative backend i ...) NOT-FOR-US: ZeusCart CVE-2015-2182 (Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 allo ...) NOT-FOR-US: ZeusCart CVE-2015-2181 (Multiple buffer overflows in the DBMail driver in the Password plugin ...) - roundcube 1.1.1+dfsg.1-2 [wheezy] - roundcube (variable and chgdbmailusers.c does not exist) NOTE: http://trac.roundcube.net/ticket/1490261 NOTE: http://advisories.mageia.org/MGASA-2015-0400.html NOTE: http://lists.opensuse.org/opensuse-updates/2015-07/msg00032.html CVE-2015-2180 (The DBMail driver in the Password plugin in Roundcube before 1.1.0 all ...) - roundcube 1.1.1+dfsg.1-2 [wheezy] - roundcube (dbmail driver does not exist) NOTE: http://trac.roundcube.net/ticket/1490261 NOTE: http://advisories.mageia.org/MGASA-2015-0400.html NOTE: http://lists.opensuse.org/opensuse-updates/2015-07/msg00032.html CVE-2015-2179 RESERVED CVE-2015-2178 REJECTED CVE-2015-2177 (Siemens SIMATIC S7-300 CPU devices allow remote attackers to cause a d ...) NOT-FOR-US: Siemens CVE-2015-2176 RESERVED CVE-2015-2175 RESERVED CVE-2015-2174 RESERVED CVE-2015-2173 RESERVED CVE-2015-2171 (Middleware/SessionCookie.php in Slim before 2.6.0 allows remote attack ...) NOT-FOR-US: Slim PHP Framework CVE-2015-2170 (The upx decoder in ClamAV before 0.98.7 allows remote attackers to cau ...) {DLA-233-1} - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/625f5a9b8f008b8714850e4aa064dee1de06e534 CVE-2015-2169 (Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExp ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2015-2168 REJECTED CVE-2015-2167 (Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobil ...) NOT-FOR-US: Ericsson CVE-2015-2166 (Directory traversal vulnerability in the Instance Monitor in Ericsson ...) NOT-FOR-US: Ericsson CVE-2015-2165 (Multiple cross-site scripting (XSS) vulnerabilities in the Report View ...) NOT-FOR-US: Ericsson CVE-2015-2164 RESERVED CVE-2015-2163 RESERVED CVE-2015-2162 RESERVED CVE-2015-2161 RESERVED CVE-2015-2160 RESERVED CVE-2015-2159 RESERVED CVE-2015-2156 (Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0 ...) - netty3.1 [wheezy] - netty3.1 (Minor issue) - netty 1:4.0.31-1 (bug #796114) [jessie] - netty (Minor issue, invasive patch) [wheezy] - netty (Minor issue) [squeeze] - netty (Minor issue) - netty-3.9 3.9.9.Final-1 (bug #793770) [jessie] - netty-3.9 (Minor issue, invasive patch) - playframework (bug #646523) NOTE: http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html NOTE: https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass NOTE: http://web.archive.org/web/20150925094949/http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156 NOTE: https://github.com/netty/netty/commit/97d871a7553a01384b43df855dccdda5205ae77a CVE-2015-2155 (The force printer in tcpdump before 4.7.2 allows remote attackers to c ...) {DSA-3193-1 DLA-174-1} - tcpdump 4.6.2-4 NOTE: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch CVE-2015-2154 (The osi_print_cksum function in print-isoclns.c in the ethernet printe ...) {DSA-3193-1 DLA-174-1} - tcpdump 4.6.2-4 NOTE: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch CVE-2015-2153 (The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer ...) {DSA-3193-1} - tcpdump 4.6.2-4 [squeeze] - tcpdump (Vulnerable code not present) NOTE: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch CVE-2015-2152 (Xen 4.5.x and earlier enables certain default backends when emulating ...) - xen 4.4.1-9 (low; bug #780975) [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-119.html CVE-2015-2151 (The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore s ...) {DSA-3181-1} - xen 4.4.1-8 (bug #780227) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-123.html CVE-2015-2150 (Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not pro ...) {DSA-3237-1} - linux 3.16.7-ckt9-1 - linux-2.6 (xen-pciback introduced in 3.1) NOTE: http://xenbits.xen.org/xsa/advisory-120.html CVE-2015-2149 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: MyBB CVE-2015-2148 (Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker ph ...) NOT-FOR-US: phpBugTracker CVE-2015-2147 (Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker b ...) NOT-FOR-US: phpBugTracker CVE-2015-2146 (Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker b ...) NOT-FOR-US: phpBugTracker CVE-2015-2145 (Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker ph ...) NOT-FOR-US: phpBugTracker CVE-2015-2144 (Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker ph ...) NOT-FOR-US: phpBugTracker CVE-2015-2143 (Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetra ...) NOT-FOR-US: phpBugTracker CVE-2015-2142 (Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetra ...) NOT-FOR-US: phpBugTracker CVE-2015-2141 (The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcr ...) {DSA-3296-1 DLA-262-1} - libcrypto++ 5.6.1-7 NOTE: https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff NOTE: https://eprint.iacr.org/2015/368 CVE-2015-2140 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-2139 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-2138 REJECTED CVE-2015-2137 (Unspecified vulnerability in HP Operations Manager i (OMi) 9.22, 9.23, ...) NOT-FOR-US: HP Operations Manager i CVE-2015-2136 (HP ArcSight Logger before 6.0 P2 allows remote authenticated users to ...) NOT-FOR-US: HP ArcSight CVE-2015-2135 (Unspecified vulnerability in HP Intelligent Provisioning 1.00 through ...) NOT-FOR-US: HP Intelligent Provisioning CVE-2015-2134 (Cross-site request forgery (CSRF) vulnerability in HP System Managemen ...) NOT-FOR-US: Hewlett-Packard CVE-2015-2133 REJECTED CVE-2015-2132 (Unspecified vulnerability in the execve system-call implementation in ...) NOT-FOR-US: HP HP-UX CVE-2015-2131 REJECTED CVE-2015-2130 REJECTED CVE-2015-2129 REJECTED CVE-2015-2128 REJECTED CVE-2015-2127 REJECTED CVE-2015-2126 (Unspecified vulnerability in pppoec in HP HP-UX 11iv2 and 11iv3 allows ...) NOT-FOR-US: HP-UX (pppoec) CVE-2015-2125 (Unspecified vulnerability in HP WebInspect 7.x through 10.4 before 10. ...) NOT-FOR-US: HP WebInspect CVE-2015-2124 (Unspecified vulnerability in Easy Setup Wizard in HP ThinPro Linux 4.1 ...) NOT-FOR-US: HP CVE-2015-2123 (Unspecified vulnerability in HP NonStop Safeguard Security Software H0 ...) NOT-FOR-US: HP NonStop Safeguard Security Software CVE-2015-2122 (The REST layer on HP SDN VAN Controller devices 2.5 and earlier allows ...) NOT-FOR-US: HP CVE-2015-2121 (HP Network Virtualization for LoadRunner and Performance Center 8.61 a ...) NOT-FOR-US: HP CVE-2015-2120 (Unspecified vulnerability in HP SiteScope 11.1x before 11.13, 11.2x be ...) NOT-FOR-US: HP SiteScope CVE-2015-2119 REJECTED CVE-2015-2118 (Unspecified vulnerability in the Secure Pull Print and Security Pull P ...) NOT-FOR-US: HP Access Control Software CVE-2015-2117 (HP TippingPoint Security Management System (SMS) and TippingPoint Virt ...) NOT-FOR-US: HP TippingPoint CVE-2015-2116 (Unspecified vulnerability in HP Storage Data Protector 7.x before 7.03 ...) NOT-FOR-US: HP CVE-2015-2115 (Unspecified vulnerability in HP Capture and Route Software (HPCR) 1.3 ...) NOT-FOR-US: HP Capture and Route CVE-2015-2114 (HP Support Solution Framework before 11.51.0049 allows remote attacker ...) NOT-FOR-US: HP Support Solution Framework CVE-2015-2113 (Unspecified vulnerability in HP Easy Deploy, as distributed standalone ...) NOT-FOR-US: HP Thin Clients CVE-2015-2112 (Unspecified vulnerability in HP Easy Deploy, as distributed standalone ...) NOT-FOR-US: HP Thin Clients CVE-2015-2111 (Unspecified vulnerability in HP Intelligent Provisioning 1.40 through ...) NOT-FOR-US: HP Intelligent Provisioning CVE-2015-2110 (Buffer overflow in HP LoadRunner 11.52 allows remote attackers to exec ...) NOT-FOR-US: HP LoadRunner CVE-2015-2109 (Unspecified vulnerability in HP Operations Orchestration 10.x allows r ...) NOT-FOR-US: HP Operations Orchestration CVE-2015-2108 (Unspecified vulnerability in Powershell Operations in HP Operations Or ...) NOT-FOR-US: HP Operations Orchestration CVE-2015-2107 (HP Operations Manager i Management Pack 1.x before 1.01 for SAP allows ...) NOT-FOR-US: HP Operations Manager CVE-2015-2106 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 2 ...) NOT-FOR-US: HP Integrated Lights-Out CVE-2015-2105 RESERVED CVE-2015-2104 REJECTED CVE-2015-2103 (Cross-site scripting (XSS) vulnerability in the admin-login panel (adm ...) NOT-FOR-US: Cosmoshop CVE-2015-2102 (SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2. ...) NOT-FOR-US: ClipBucket CVE-2015-2101 (Cross-site scripting (XSS) vulnerability in the Navigate bar in the Na ...) NOT-FOR-US: Navigate module for Drupal CVE-2015-XXXX [heap buffer overflow] - bibtool 2.57+ds-3 (bug #779573) [squeeze] - bibtool (Minor issue) [wheezy] - bibtool (Minor issue) NOTE: Upstream patch: https://github.com/ge-ne/bibtool/commit/c6ed92c556f28ca2c738972c647486f9e11424bf CVE-2015-XXXX [dcerpc: exit()'s on malloc failure] - suricata 2.0.7-1 [wheezy] - suricata (Unusable in wheezy, planned for removal) [squeeze] - suricata (Minor issue) NOTE: https://github.com/inliniac/suricata/commit/89017d0b03bf715a3f4e11b612c6c7a23549304a CVE-2015-XXXX [http uri parsing issue] - libhtp 1:0.5.25-1 (bug #783007) [squeeze] - libhtp (Minor issue) NOTE: if libhtp gets updated to 0.5.17 in sid, it will conflict with suricata which ships the library too (see #783005) [wheezy] - libhtp (Unusable in wheezy, planned for removal) - suricata 2.0.7-1 [wheezy] - suricata (Uses system-wide libhtp) [squeeze] - suricata (Uses system-wide libhtp) NOTE: https://redmine.openinfosecfoundation.org/issues/1391 NOTE: https://github.com/OISF/libhtp/commit/1a6c9465fb641f81460392f622d1878d5e87fc00 NOTE: Fixed in Libhtp 0.5.17 upstream CVE-2015-XXXX [MATTA-2015-002: Enforce acceptable range for Diffie-Hellman server value] - putty 0.63-10 [wheezy] - putty 0.62-9+deb7u2 [squeeze] - putty 0.60+2010-02-20-1+squeeze3 NOTE: temporary workaround until CVE assigned to explitly tag for wheezy+squeeze NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/02/27/4 NOTE: http://advisories.mageia.org/MGASA-2015-0098.html CVE-2015-2172 (DokuWiki before 2014-05-05d and before 2014-09-29c does not properly c ...) - dokuwiki 0.0.20140929.d-1 (bug #779547) [jessie] - dokuwiki 0.0.20140505.a+dfsg-4 [squeeze] - dokuwiki (Vulnerable code not present) [wheezy] - dokuwiki (Vulnerable code not present) NOTE: present since release_candidate_2013-10-28 NOTE: https://github.com/splitbrain/dokuwiki/issues/1056 NOTE: https://github.com/splitbrain/dokuwiki/commit/4970ad24ce49ec76a0ee67bca7594f918ced2f5f CVE-2015-2158 (Off-by-one error in the pngcrush_measure_idat function in pngcrush.c i ...) - pngcrush (Vulnerable code not present) NOTE: Introduced by http://sourceforge.net/p/pmt/code/ci/e1a36a9639e2db16494d90459c7c2b78677a20bf/ (1.7.83) NOTE: Fixed by: http://sourceforge.net/p/pmt/code/ci/a1ce646d00a400fd9ec321ab5cb522f40b7bdfe6/ (1.7.84) NOTE: https://www.openwall.com/lists/oss-security/2015/02/28/6 CVE-2015-2157 (The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY ...) {DSA-3190-1 DLA-173-1} - putty 0.63-10 (bug #779488) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html CVE-2015-2100 (Multiple stack-based buffer overflows in WebGate eDVR Manager and Cont ...) NOT-FOR-US: eDVR Manager and Control Center CVE-2015-2099 (Multiple buffer overflows in WebGate Control Center allow remote attac ...) NOT-FOR-US: WebGate Control Center CVE-2015-2098 (Multiple stack-based buffer overflows in WebGate eDVR Manager allow re ...) NOT-FOR-US: WebGate eDVR Manager CVE-2015-2097 (Multiple buffer overflows in WebGate Embedded Standard Protocol (WESP) ...) NOT-FOR-US: WESP SDK CVE-2015-2096 (Use-after-free vulnerability in the Connect function in the WESPMonito ...) NOT-FOR-US: WebGate eDVR Manager CVE-2015-2095 (Heap-based buffer overflow in the SetConnectInfo function in the WESPP ...) NOT-FOR-US: WebGate eDVR Manager CVE-2015-2094 (Stack-based buffer overflow in the WESPPlayback.WESPPlaybackCtrl.1 con ...) NOT-FOR-US: WebGate WinRDS CVE-2015-2093 (Stack-based buffer overflow in the Connect function in the WebGate Web ...) NOT-FOR-US: WebGate WEbEyeAudio ActiveX control CVE-2015-2092 (The AnnotationX.AnnList.1 ActiveX control in Agilent Technologies Feat ...) NOT-FOR-US: Agilent Technologies Feature Extraction CVE-2015-2090 (SQL injection vulnerability in the ajax_survey function in settings.ph ...) NOT-FOR-US: ajax_survey function in settings.php in the WordPress Survey and Poll plugin for WordPress CVE-2015-2089 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Cros ...) NOT-FOR-US: CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin for WordPress CVE-2015-2088 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Term Queue model for Drupal CVE-2015-2087 (Unrestricted file upload vulnerability in the Avatar Uploader module b ...) NOT-FOR-US: Avatar Uploader module for Drupal CVE-2015-2086 (Cross-site scripting (XSS) vulnerability in the live preview in the Pa ...) NOT-FOR-US: Panopoly Magic module for Drupal CVE-2015-2085 RESERVED CVE-2015-2084 (Cross-site request forgery (CSRF) vulnerability in the Easy Social Ico ...) NOT-FOR-US: Easy Social Icons plugin for WordPress CVE-2015-2083 (Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows rem ...) NOT-FOR-US: Ilch CMS CVE-2015-2082 (Cross-site scripting (XSS) vulnerability in Login.aspx in UNIT4 Prosof ...) NOT-FOR-US: UNIT4 Prosoft HRMS CVE-2015-2081 (Datto ALTO and SIRIS devices allow Remote Code Execution via unauthent ...) NOT-FOR-US: Datto ALTO and SIRIS devices CVE-2015-8985 (The pop_fail_stack function in the GNU C Library (aka glibc or libc6) ...) - glibc 2.28-1 (unimportant; bug #779392) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21163 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672 (2.28) NOTE: DoS via crafted regexps are not considered security issues by glibc upstream CVE-2015-8984 (The fnmatch function in the GNU C Library (aka glibc or libc6) before ...) {DLA-316-1} - glibc 2.21-1 (bug #779587) [jessie] - glibc 2.19-18+deb8u2 - eglibc [wheezy] - eglibc 2.13-38+deb7u9 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18032 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185 NOTE: https://www.openwall.com/lists/oss-security/2015/02/26/5 CVE-2015-2079 RESERVED CVE-2015-2078 (The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft ...) NOT-FOR-US: Lavasoft Ad-Aware Web Companion CVE-2015-2077 (The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft ...) NOT-FOR-US: Lavasoft Ad-Aware Web Companion CVE-2015-2076 (The Auditing service in SAP BusinessObjects Edge 4.0 allows remote att ...) NOT-FOR-US: SAP CVE-2015-2075 (SAP BusinessObjects Edge 4.0 allows remote attackers to delete audit e ...) NOT-FOR-US: SAP CVE-2015-2074 (The File Repository Server (FRS) CORBA listener in SAP BussinessObject ...) NOT-FOR-US: SAP CVE-2015-2073 (The File RepositoRy Server (FRS) CORBA listener in SAP BussinessObject ...) NOT-FOR-US: SAP CVE-2015-2072 (Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1. ...) NOT-FOR-US: SAP CVE-2015-2071 (Directory traversal vulnerability in cm/newui/blog/export.jsp in eTouc ...) NOT-FOR-US: eTouch SamePage Enterprise Edition CVE-2015-2070 (SQL injection vulnerability in eTouch SamePage Enterprise Edition 4.4. ...) NOT-FOR-US: eTouch SamePage Enterprise Edition CVE-2015-2069 (Cross-site scripting (XSS) vulnerability in the WooCommerce plugin bef ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2015-2068 (Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka ...) NOT-FOR-US: Magento Server CVE-2015-2067 (Directory traversal vulnerability in web/ajax_pluginconf.php in the MA ...) NOT-FOR-US: Magento Server CVE-2015-2066 (SQL injection vulnerability in DLGuard 4.5 allows remote attackers to ...) NOT-FOR-US: DLGuard CVE-2015-2065 (SQL injection vulnerability in videogalleryrss.php in the Apptha WordP ...) NOT-FOR-US: Apptha WordPress Video Gallery (contus-video-gallery) plugin for WordPress CVE-2015-2064 (Multiple cross-site scripting (XSS) vulnerabilities in DLGuard 5, 4.6, ...) NOT-FOR-US: DLGuard CVE-2015-2080 (The exception handling code in Eclipse Jetty before 9.2.9.v20150224 al ...) - jetty (Only affects 9.2.3.v20140905 through 9.2.8.v20150217) - jetty8 (Only affects 9.2.3.v20140905 through 9.2.8.v20150217) NOTE: http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html NOTE: https://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md NOTE: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html CVE-2015-2062 (Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-i ...) NOT-FOR-US: Huge-IT Slider (slider- image) plugin for WordPress CVE-2015-2061 (Heap-based buffer overflow in the browser plugin for PTC Creo View all ...) NOT-FOR-US: PTC Creo View CVE-2015-2057 RESERVED CVE-2015-2056 RESERVED CVE-2015-2055 (Zhone GPON 2520 with firmware R4.0.2.566b allows remote attackers to c ...) NOT-FOR-US: Zhone GPON 2520 CVE-2015-2054 (CRLF injection vulnerability in export.cfg in the web-based administra ...) NOT-FOR-US: Sierra Wireless AirCard CVE-2015-2053 (The log viewer in McAfee Agent (MA) before 4.8.0 Patch 3 and 5.0.0, wh ...) NOT-FOR-US: McAfee CVE-2015-2052 (Stack-based buffer overflow in the DIR-645 Wired/Wireless Router Rev. ...) NOT-FOR-US: DIR-645 Wired/Wireless Router Rev. Ax CVE-2015-2051 (The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 ...) NOT-FOR-US: D-Link DIR-645 Wired/Wireless Router Rev. Ax CVE-2015-2050 (D-Link DAP-1320 Rev Ax with firmware before 1.21b05 allows attackers t ...) NOT-FOR-US: D-Link DAP-1320 Rev Ax CVE-2015-2049 (Unrestricted file upload vulnerability in D-Link DCS-931L with firmwar ...) NOT-FOR-US: D-Link DCS-931L CVE-2015-2048 (Cross-site request forgery (CSRF) vulnerability in D-Link DCS-931L wit ...) NOT-FOR-US: D-Link DCS-931L CVE-2015-2045 (The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does n ...) {DSA-3181-1} - xen 4.4.1-8 [squeeze] - xen (Unsupported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-122.html CVE-2015-2044 (The emulation routines for unspecified X86 devices in Xen 3.2.x throug ...) {DSA-3181-1} - xen 4.4.1-8 [squeeze] - xen (Unsupported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-121.html CVE-2015-2043 (Multiple cross-site scripting (XSS) vulnerabilities in Visualware MyCo ...) NOT-FOR-US: Visualware CVE-2015-2040 (Cross-site scripting (XSS) vulnerability in the Contact Form DB (aka C ...) NOT-FOR-US: Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin for WordPress CVE-2015-2039 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Acob ...) NOT-FOR-US: Acobot Live Chat & Contact Form plugin for WordPress CVE-2015-8983 (Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c ...) {DLA-316-1} - eglibc [wheezy] - eglibc 2.13-38+deb7u9 - glibc 2.21-1 (bug #779587) [jessie] - glibc 2.19-18+deb8u2 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17269 NOTE: Fixed upstream in 2.22 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33 NOTE: https://www.openwall.com/lists/oss-security/2015/02/22/15 CVE-2015-8477 (Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allow ...) - redmine 3.0~20140825-5 (low) [squeeze] - redmine (Redmine not supported because of rails) [wheezy] - redmine (Redmine not supported because of rails) NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_2_6 NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/19117 NOTE: https://github.com/redmine/redmine/commit/a1f40686ba43d121cbc8c095d2f8cc4095e70352#diff-847ef9328e260b1b93fd165d072b072d CVE-2015-2047 (The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4 ...) {DSA-3164-1} - typo3-src 4.5.40+dfsg1-1 (bug #778870) [squeeze] - typo3-src (Unsupported in squeeze-lts) NOTE: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-001/ CVE-2015-2038 RESERVED CVE-2015-2037 RESERVED CVE-2015-2036 RESERVED CVE-2015-2033 (Anyterm Daemon in Infoblox Network Automation NetMRI before NETMRI-234 ...) NOT-FOR-US: Anyterm Daemon CVE-2015-2032 RESERVED CVE-2015-2031 (Cross-site scripting (XSS) vulnerability in IBM WebSphere eXtreme Scal ...) NOT-FOR-US: IBM CVE-2015-2030 (IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1. ...) NOT-FOR-US: IBM CVE-2015-2029 (Session fixation vulnerability in IBM WebSphere eXtreme Scale 7.1.0 be ...) NOT-FOR-US: IBM CVE-2015-2028 (CRLF injection vulnerability in IBM WebSphere eXtreme Scale 7.1.0 befo ...) NOT-FOR-US: IBM CVE-2015-2027 (IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1. ...) NOT-FOR-US: IBM CVE-2015-2026 (Cross-site request forgery (CSRF) vulnerability in IBM WebSphere eXtre ...) NOT-FOR-US: IBM CVE-2015-2025 (IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1. ...) NOT-FOR-US: IBM CVE-2015-2024 RESERVED CVE-2015-2023 (Buffer overflow in IBM i Access 7.1 on Windows allows local users to g ...) NOT-FOR-US: IBM i Access 7.1 on Windows CVE-2015-2022 RESERVED CVE-2015-2021 RESERVED CVE-2015-2020 (The MyScript SDK before 1.3 for Android might allow attackers to execu ...) NOT-FOR-US: MyScript SDK CVE-2015-2019 (IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iF ...) NOT-FOR-US: IBM CVE-2015-2018 (IBM Integration Bus 9 and 10 before 10.0.0.1 and WebSphere Message Bro ...) NOT-FOR-US: IBM WebSphere CVE-2015-2017 (CRLF injection vulnerability in IBM WebSphere Application Server (WAS) ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-2016 (Unspecified vulnerability in IBM QRadar SIEM 7.1 MR2 before Patch 11 I ...) NOT-FOR-US: IBM CVE-2015-2015 (Cross-site scripting (XSS) vulnerability in pubnames.ntf (aka the Dire ...) NOT-FOR-US: IBM Domino CVE-2015-2014 (Open redirect vulnerability in the web server in IBM Domino 8.5 before ...) NOT-FOR-US: IBM Domino CVE-2015-2013 (IBM WebSphere MQ 7.0.1 before 7.0.1.13 allows remote attackers to caus ...) NOT-FOR-US: IBM CVE-2015-2012 (The MQXR service in WMQ Telemetry in IBM WebSphere MQ 7.1 before 7.1.0 ...) NOT-FOR-US: IBM CVE-2015-2011 (The xmlrpc.cgi Webmin script in IBM QRadar SIEM 7.1 MR2 before Patch 1 ...) NOT-FOR-US: IBM CVE-2015-2010 REJECTED CVE-2015-2009 (Cross-site request forgery (CSRF) vulnerability in the xmlrpc.cgi serv ...) NOT-FOR-US: IBM CVE-2015-2008 (IBM Security QRadar SIEM 7.1.x before 7.1 MR2 Patch 12 and 7.2.x befor ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-2007 (Directory traversal vulnerability in IBM Security QRadar SIEM 7.2.x be ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-2006 RESERVED CVE-2015-2005 (IBM Security QRadar SIEM 7.1.x before 7.1 MR2 Patch 12 and 7.2.x befor ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-2004 (The GraceNote GNSDK SDK before SVN Changeset 1.1.7 for Android might a ...) NOT-FOR-US: GraceNote GNSDK SDK CVE-2015-2003 (The PJSIP PJSUA2 SDK before SVN Changeset 51322 for Android might allo ...) NOT-FOR-US: PJSIP PJSUA2 SDK CVE-2015-2002 (The ESRI ArcGis Runtime SDK before 10.2.6-2 for Android might allow at ...) NOT-FOR-US: ESRI ArcGis Runtime SDK CVE-2015-2001 (The MetaIO SDK before 6.0.2.1 for Android might allow attackers to exe ...) NOT-FOR-US: MetaIO SDK CVE-2015-2000 (The Jumio SDK before 1.5.0 for Android might allow attackers to execut ...) NOT-FOR-US: Jumio SDK CVE-2015-1999 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 plac ...) NOT-FOR-US: IBM QRadar CVE-2015-1998 RESERVED CVE-2015-1997 (Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar ...) NOT-FOR-US: IBM QRadar CVE-2015-1996 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does ...) NOT-FOR-US: IBM QRadar CVE-2015-1995 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Security QR ...) NOT-FOR-US: IBM QRadar CVE-2015-1994 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does ...) NOT-FOR-US: IBM QRadar CVE-2015-1993 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does ...) NOT-FOR-US: IBM QRadar CVE-2015-1992 (IBM Systems Director 5.2.x, 6.1.x, 6.2.0.x, 6.2.1.x, 6.3.0.0, 6.3.1.x, ...) NOT-FOR-US: IBM Systems Director CVE-2015-1991 REJECTED CVE-2015-1990 REJECTED CVE-2015-1989 (SQL injection vulnerability in IBM Security QRadar Incident Forensics ...) NOT-FOR-US: IBM QRadar CVE-2015-1988 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Storage Manger ...) NOT-FOR-US: IBM CVE-2015-1987 (IBM MQ Light before 1.0.0.2 allows remote attackers to cause a denial ...) NOT-FOR-US: IBM CVE-2015-1986 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1985 (The queue manager on IBM MQ M2000 appliances before 8.0.0.4 allows loc ...) NOT-FOR-US: IBM MQ M2000 appliances CVE-2015-1984 (IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, ...) NOT-FOR-US: IBM CVE-2015-1983 (Cross-site scripting (XSS) vulnerability in the Projects page in IBM U ...) NOT-FOR-US: IBM CVE-2015-1982 (IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, ...) NOT-FOR-US: IBM CVE-2015-1981 (Cross-site scripting (XSS) vulnerability in the web server in IBM Domi ...) NOT-FOR-US: IBM CVE-2015-1980 (IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, ...) NOT-FOR-US: IBM CVE-2015-1979 (Multiple cross-site scripting (XSS) vulnerabilities in the Error dialo ...) NOT-FOR-US: IBM CVE-2015-1978 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Security Direct ...) NOT-FOR-US: IBM CVE-2015-1977 (Directory traversal vulnerability in the Web Administration tool in IB ...) NOT-FOR-US: IBM CVE-2015-1976 (IBM Security Directory Server could allow an authenticated user to exe ...) NOT-FOR-US: IBM CVE-2015-1975 (The web administration tool in IBM Tivoli Security Directory Server 6. ...) NOT-FOR-US: IBM CVE-2015-1974 (The web administration tool in IBM Tivoli Security Directory Server 6. ...) NOT-FOR-US: IBM CVE-2015-1973 RESERVED CVE-2015-1972 (IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iF ...) NOT-FOR-US: IBM CVE-2015-1971 (Unspecified vulnerability in Jazz Team Server in Jazz Foundation in IB ...) NOT-FOR-US: IBM CVE-2015-1970 (The IBM WebSphere DataPower XC10 appliance 2.1 through 2.1.0.3 and 2.5 ...) NOT-FOR-US: IBM CVE-2015-1969 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Common Reportin ...) NOT-FOR-US: IBM CVE-2015-1968 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data ...) NOT-FOR-US: IBM CVE-2015-1967 (MQ Explorer in IBM WebSphere MQ before 8.0.0.3 does not recognize the ...) NOT-FOR-US: IBM CVE-2015-1966 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Fede ...) NOT-FOR-US: IBM Tivoli Federated Identity Manager CVE-2015-1965 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1964 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1963 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1962 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1961 (The REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1 ...) NOT-FOR-US: IBM CVE-2015-1960 RESERVED CVE-2015-1959 (IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iF ...) NOT-FOR-US: IBM CVE-2015-1958 (IBM MQ Light before 1.0.0.2 allows remote attackers to cause a denial ...) NOT-FOR-US: IBM CVE-2015-1957 (IBM WebSphere MQ 7.5.x before 7.5.0.6 and 8.0.x before 8.0.0.3 allows ...) NOT-FOR-US: IBM WebSphere MQ CVE-2015-1956 (IBM MQ Light before 1.0.0.2 allows remote attackers to cause a denial ...) NOT-FOR-US: IBM CVE-2015-1955 (IBM MQ Light before 1.0.0.2 allows remote attackers to cause a denial ...) NOT-FOR-US: IBM CVE-2015-1954 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1953 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1952 (Cross-site scripting (XSS) vulnerability in IBM AppScan Enterprise Edi ...) NOT-FOR-US: IBM CVE-2015-1951 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-1950 (IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require ...) NOT-FOR-US: IBM CVE-2015-1949 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1948 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1947 (Untrusted search path vulnerability in IBM InfoSphere BigInsights 3.0, ...) NOT-FOR-US: IBM InfoSphere BigInsights CVE-2015-1946 (IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.6, and WebSphe ...) NOT-FOR-US: IBM WebSphere CVE-2015-1945 (Unspecified vulnerability in the Reference Data Management component i ...) NOT-FOR-US: IBM InfoSphere CVE-2015-1944 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 ...) NOT-FOR-US: IBM WebSphere CVE-2015-1943 (IBM WebSphere Portal 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1 ...) NOT-FOR-US: IBM CVE-2015-1942 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1941 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1940 RESERVED CVE-2015-1939 RESERVED CVE-2015-1938 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1937 (IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2. ...) NOT-FOR-US: IBM PowerVC CVE-2015-1936 (The administrative console in IBM WebSphere Application Server (WAS) 8 ...) NOT-FOR-US: IBM WAS CVE-2015-1935 (The scalar-function implementation in IBM DB2 9.7 through FP10, 9.8 th ...) NOT-FOR-US: IBM DB2 CVE-2015-1934 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-1933 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-1932 (IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0 ...) NOT-FOR-US: IBM WebSphere CVE-2015-1931 (IBM Java Security Components in IBM SDK, Java Technology Edition 8 bef ...) NOT-FOR-US: IBM JDK CVE-2015-1930 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1929 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1928 (Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Life ...) NOT-FOR-US: IBM CVE-2015-1927 (The default configuration of IBM WebSphere Application Server (WAS) 7. ...) NOT-FOR-US: IBM WAS CVE-2015-1926 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle WebCenter Portal CVE-2015-1925 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1924 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1923 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 6 ...) NOT-FOR-US: IBM CVE-2015-1922 (The Data Movement implementation in IBM DB2 9.7 through FP10, 9.8 thro ...) NOT-FOR-US: IBM DB2 CVE-2015-1921 (Open redirect vulnerability in IBM WebSphere Portal 8.0.0 before 8.0.0 ...) NOT-FOR-US: IBM CVE-2015-1920 (IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 befor ...) NOT-FOR-US: IBM CVE-2015-1919 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar Incide ...) NOT-FOR-US: IBM CVE-2015-1918 RESERVED CVE-2015-1917 (Cross-site scripting (XSS) vulnerability in the Active Content Filteri ...) NOT-FOR-US: IBM CVE-2015-1916 (Unspecified vulnerability in IBM Java 8 before SR1 allows remote attac ...) NOT-FOR-US: IBM JDK CVE-2015-1915 (The Endpoint Manager for Remote Control component in IBM Tivoli Endpoi ...) NOT-FOR-US: IBM CVE-2015-1914 (IBM Java 7 R1 before SR3, 7 before SR9, 6 R1 before SR8 FP4, 6 before ...) NOT-FOR-US: IBM JDK CVE-2015-1913 (Rational Test Control Panel in IBM Rational Test Workbench and Rationa ...) NOT-FOR-US: IBM CVE-2015-1912 RESERVED CVE-2015-1911 (Cross-site scripting (XSS) vulnerability in Sterling Order Management ...) NOT-FOR-US: Sterling Order Management CVE-2015-1910 (Cross-site scripting (XSS) vulnerability in the Reference Data Managem ...) NOT-FOR-US: IBM CVE-2015-1909 (The XML parser in the Reference Data Management component in the serve ...) NOT-FOR-US: IBM CVE-2015-1908 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-1907 (The Administration and Reporting Tool in IBM Rational License Key Serv ...) NOT-FOR-US: IBM Rational License Key Server CVE-2015-1906 (Cross-site scripting (XSS) vulnerability in the REST API in IBM Busine ...) NOT-FOR-US: IBM BPM CVE-2015-1905 (The REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1 ...) NOT-FOR-US: IBM BPM CVE-2015-1904 (IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3, 8.5.0 throug ...) NOT-FOR-US: IBM CVE-2015-1903 (Stack-based buffer overflow in IBM Domino 8.5 before 8.5.3 FP6 IF7 and ...) NOT-FOR-US: IBM CVE-2015-1902 (Stack-based buffer overflow in IBM Domino 8.5 before 8.5.3 FP6 IF7 and ...) NOT-FOR-US: IBM CVE-2015-1901 (The installer in IBM InfoSphere Information Server 8.5 through 11.3 be ...) NOT-FOR-US: IBM CVE-2015-1900 (IBM InfoSphere DataStage 8.1, 8.5, 8.7, 9.1, and 11.3 through 11.3.1.2 ...) NOT-FOR-US: IBM CVE-2015-1899 (IBM WebSphere Portal 8.5 through CF05 allows remote attackers to cause ...) NOT-FOR-US: IBM CVE-2015-1898 (Stack-based buffer overflow in the FastBackMount process in IBM Tivoli ...) NOT-FOR-US: IBM CVE-2015-1897 (Stack-based buffer overflow in the FastBackMount process in IBM Tivoli ...) NOT-FOR-US: IBM CVE-2015-1896 (Stack-based buffer overflow in the FastBackMount process in IBM Tivoli ...) NOT-FOR-US: IBM CVE-2015-1895 (IBM InfoSphere Optim Workload Replay 2.x before 2.1.0.3 relies on clie ...) NOT-FOR-US: IBM CVE-2015-1894 (Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere Opti ...) NOT-FOR-US: IBM CVE-2015-1893 (The IBM WebSphere DataPower XC10 appliance 2.1 before 2.1.0.3 allows r ...) NOT-FOR-US: IBM WebSphere CVE-2015-1892 (The Multicast DNS (mDNS) responder in IBM Security Access Manager for ...) NOT-FOR-US: IBM Security Access Manager CVE-2015-1891 RESERVED CVE-2015-1890 (/usr/lpp/mmfs/bin/gpfs.snap in IBM General Parallel File System (GPFS) ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-1889 (The Big SQL component in IBM InfoSphere BigInsights 3.0 through 3.0.0. ...) NOT-FOR-US: IBM InfoSphere BigInsights CVE-2015-1888 (Cross-site scripting (XSS) vulnerability in IBM Content Navigator 2.0. ...) NOT-FOR-US: IBM CVE-2015-1887 (IBM WebSphere Portal 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-1886 (The Remote Document Conversion Service (DCS) in IBM WebSphere Portal 6 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-1885 (WebSphereOauth20SP.ear in IBM WebSphere Application Server (WAS) 7.0 b ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-1884 (Directory traversal vulnerability in IBM Business Process Manager (BPM ...) NOT-FOR-US: IBM CVE-2015-1883 (IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 t ...) NOT-FOR-US: IBM DB2 CVE-2015-1882 (Multiple race conditions in IBM WebSphere Application Server (WAS) 8.5 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-1880 (Cross-site scripting (XSS) vulnerability in the sslvpn login page in F ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-1879 (Cross-site scripting (XSS) vulnerability in the Google Doc Embedder pl ...) NOT-FOR-US: Google Doc Embedder plugin for WordPress CVE-2015-2042 (net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect dat ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-1 - linux-2.6 [squeeze] - linux-2.6 (Minor issue) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=db27ebb111e9f69efece08e4cb6a34ff980f8896 (v3.19) NOTE: (earliest) introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3e5048495c8569bfdd552750e0315973c61e7c93 (v2.6.30-rc1) CVE-2015-2041 (net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incor ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-1 - linux-2.6 [squeeze] - linux-2.6 (Minor issue) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 (v3.19-rc7) NOTE: (earliest) introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=590232a7150674b2036291eaefce085f3f9659c8 (v2.6.14-rc3) CVE-2015-2035 (SQL injection vulnerability in the administrative backend in Piwigo be ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2015-2034 (Cross-site scripting (XSS) vulnerability in the administrative backend ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2015-1878 (Thales nShield Connect hardware models 500, 1500, 6000, 500+, 1500+, a ...) NOT-FOR-US: nShield Connect hardware models CVE-2015-1876 (Directory traversal vulnerability in ES File Explorer 3.2.4.1. ...) NOT-FOR-US: ES File Explorer CVE-2015-1875 (SQL injection vulnerability in a2billing/customer/iridium_threed.php i ...) NOT-FOR-US: Elastix CVE-2015-1874 (Cross-site request forgery (CSRF) vulnerability in the Contact Form DB ...) NOT-FOR-US: Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin for WordPress CVE-2015-1873 RESERVED CVE-2015-1872 (The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg be ...) {DLA-1740-1 DLA-644-1} - ffmpeg 7:2.5.4-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Minor issue, can be fixed along in a future DSA) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037 CVE-2015-1871 RESERVED CVE-2015-1870 (The event scripts in Automatic Bug Reporting Tool (ABRT) uses world-re ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-1869 (The default event handling scripts in Automatic Bug Reporting Tool (AB ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-1868 (The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6. ...) - pdns 3.4.4-1 [jessie] - pdns 3.4.1-4+deb8u1 [wheezy] - pdns (3.2 and up affected) [squeeze] - pdns (3.2 and up affected) - pdns-recursor 3.7.2-1 [jessie] - pdns-recursor 3.6.2-2+deb8u1 [wheezy] - pdns-recursor (3.5 and up affected) [squeeze] - pdns-recursor (3.5 and up affected) NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ CVE-2015-1867 (Pacemaker before 1.1.13 does not properly evaluate added nodes, which ...) - pacemaker (Vulnerable code not present) NOTE: Introduced by: https://github.com/ClusterLabs/pacemaker/commit/f242c1ef (Pacemaker-1.1.12-rc1) NOTE: Fixed by: https://github.com/ClusterLabs/pacemaker/commit/84ac07c (Pacemaker-1.1.13-rc2) CVE-2015-1866 (Cross-site scripting (XSS) vulnerability in Ember.js 1.10.x before 1.1 ...) NOT-FOR-US: ember.js CVE-2015-1865 (fts.c in coreutils 8.4 allows local users to delete arbitrary files. ...) - coreutils 8.13-1 (low) [squeeze] - coreutils (Minor issue) NOTE: relevant code changed between 8.5 and 8.13, see https://bugzilla.redhat.com/show_bug.cgi?id=1211300 for details NOTE: Issue reproduced in with 8.5 and confirmed to not work with 8.13-3.5 CVE-2015-1864 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) - kallithea (bug #689573) CVE-2015-1863 (Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows re ...) {DSA-3233-1} - wpa 2.3-2 (bug #783148) - wpasupplicant (Vulnerable code present since v1.0) NOTE: http://w1.fi/security/2015-1/ NOTE: Vulnerable are v1.0-v2.4 with CONFIG_P2P build option enabled NOTE: CONFIG_P2P enabled since 1.1-1 in debian/config/wpasupplicant/linux NOTE: Binary packages built for wheezy are not affected since WiFi P2P is disabled CVE-2015-1862 (The crash reporting feature in Abrt allows local users to gain privile ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-1861 REJECTED CVE-2015-1860 (Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase m ...) {DLA-210-1} - qt4-x11 4:4.8.6+git155-g716fbae+dfsg-2 (bug #783133) [jessie] - qt4-x11 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [wheezy] - qt4-x11 (Minor issue) - qtbase-opensource-src 5.3.2+dfsg-5 (bug #783134) [jessie] - qtbase-opensource-src 5.3.2+dfsg-4+deb8u1 NOTE: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html CVE-2015-1859 (Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp ...) {DLA-210-1} - qt4-x11 4:4.8.6+git155-g716fbae+dfsg-2 (bug #783133) [jessie] - qt4-x11 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [wheezy] - qt4-x11 (Minor issue) - qtbase-opensource-src 5.3.2+dfsg-5 (bug #783134) [jessie] - qtbase-opensource-src 5.3.2+dfsg-4+deb8u1 NOTE: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html CVE-2015-1858 (Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase m ...) {DLA-210-1} - qt4-x11 4:4.8.6+git155-g716fbae+dfsg-2 (bug #783133) [jessie] - qt4-x11 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [wheezy] - qt4-x11 (Minor issue) - qtbase-opensource-src 5.3.2+dfsg-5 (bug #783134) [jessie] - qtbase-opensource-src 5.3.2+dfsg-4+deb8u1 NOTE: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html CVE-2015-1857 (The odl-mdsal-apidocs feature in OpenDaylight Helium allow remote atta ...) NOT-FOR-US: OpenDaylight CVE-2015-1856 (OpenStack Object Storage (Swift) before 2.3.0, when allow_version is c ...) - swift 2.2.0-2 (bug #783163) [jessie] - swift 2.2.0-1+deb8u1 [wheezy] - swift (Minor issue) NOTE: https://launchpad.net/bugs/1430645 CVE-2015-1855 (verify_certificate_identity in the OpenSSL extension in Ruby before 2. ...) {DSA-3247-1 DSA-3246-1 DSA-3245-1 DLA-235-1 DLA-224-1} - ruby1.8 - ruby1.9.1 - ruby2.0 - ruby2.1 2.1.5-3 - ruby2.2 2.2.2-1 NOTE: https://bugs.ruby-lang.org/issues/9644 NOTE: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596 CVE-2015-1854 (389 Directory Server before 1.3.3.10 allows attackers to bypass intend ...) {DLA-1428-1} - 389-ds-base 1.3.3.10-1 (bug #783923) NOTE: Patch applied to CentOS package: https://git.centos.org/raw/rpms!389-ds-base.git!/309aa9ee631432d72c845f70df2ce6475055423b/SOURCES!0062-CVE-2015-1854-389ds-base-access-control-bypass-with-.patch CVE-2015-1853 (chrony before 1.31.1 does not properly protect state variables in auth ...) {DSA-3222-1 DLA-193-1} - chrony 1.30-2 (bug #782160) NOTE: Fix: http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=d856bd34c4862398411d29200520e3a3b1d4569e CVE-2015-1852 (The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 a ...) - python-keystonemiddleware 1.5.0-2 [jessie] - python-keystonemiddleware 1.0.0-3+deb8u1 - python-keystoneclient 1:1.3.0-2 (bug #783164) NOTE: originally fixed in 1:0.10.1-3 but then 1:1.3.0-1 was uploaded without the fix [jessie] - python-keystoneclient 1:0.10.1-2+deb8u1 [wheezy] - python-keystoneclient (s3_token middleware not present) NOTE: https://launchpad.net/bugs/1411063 CVE-2015-1851 (OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 ...) {DSA-3292-1} - cinder 2015.1.0+2015.06.16.git26.9634b76ba5-1 (bug #788996) NOTE: https://www.openwall.com/lists/oss-security/2015/06/13/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1231817 NOTE: https://bugs.launchpad.net/cinder/+bug/1415087 CVE-2015-1850 REJECTED CVE-2015-1849 (AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platfo ...) NOT-FOR-US: JBoss EAP CVE-2015-1848 (The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secu ...) - pcs (Fixed before initial release to Debian) NOTE: https://github.com/feist/pcs/commit/898204596a779673c88097bbdbe2d7ed6ed0cc8b (0.9.140) CVE-2015-1847 (Directory traversal vulnerability in the web request/response interfac ...) NOT-FOR-US: Appserver.io CVE-2015-1846 (unzoo allows remote attackers to cause a denial of service (infinite l ...) - unzoo CVE-2015-1845 (Buffer overflow in the EntrReadArch function in unzoo might allow remo ...) - unzoo CVE-2015-1844 (Foreman before 1.7.5 allows remote authenticated users to bypass organ ...) - foreman (bug #663101) CVE-2015-1843 (The Red Hat docker package before 1.5.0-28, when using the --add-regis ...) - docker.io (RHEL specific problem) CVE-2015-1842 (The puppet manifests in the Red Hat openstack-puppet-modules package b ...) NOT-FOR-US: openstack-puppet-modules CVE-2015-1841 (The Web Admin interface in Red Hat Enterprise Virtualization Manager ( ...) NOT-FOR-US: RHEV CVE-2015-1840 (jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and ra ...) - ruby-jquery-rails 4.0.4-1 (bug #790395) [jessie] - ruby-jquery-rails (Minor issue) [wheezy] - ruby-jquery-rails (Minor issue) NOTE: https://hackerone.com/reports/49935 NOTE: https://groups.google.com/forum/#!msg/rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J NOTE: https://nodesecurity.io/advisories/15 CVE-2015-1839 (modules/chef.py in SaltStack before 2014.7.4 does not properly handle ...) - salt (Vulnerable code only present in experimental version; introduced in 2014.7.0) NOTE: https://github.com/saltstack/salt/commit/22d2f7a1ec93300c34e8c42d14ec39d51e610b5c NOTE: https://github.com/saltstack/salt/commit/b49d0d4b5ca5c6f31f03e2caf97cef1088eeed81 CVE-2015-1838 (modules/serverdensity_device.py in SaltStack before 2014.7.4 does not ...) - salt (Vulnerable code only present in experimental version; introduced in 2014.7.0) NOTE: https://github.com/saltstack/salt/commit/e11298d7155e9982749483ca5538e46090caef9c CVE-2015-1837 RESERVED CVE-2015-1836 (Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before ...) NOT-FOR-US: Apache HBase CVE-2015-1835 (Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an appl ...) NOT-FOR-US: Apache Cordova CVE-2015-1834 (A path traversal vulnerability was identified in the Cloud Foundry com ...) NOT-FOR-US: Cloud Foundry CVE-2015-1833 (XML external entity (XXE) vulnerability in Apache Jackrabbit before 2. ...) {DSA-3298-1} - jackrabbit 2.10.1-1 (bug #787316) NOTE: https://issues.apache.org/jira/browse/JCR-3883 CVE-2015-1832 (XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apac ...) - derby 10.13.1.1-1 [jessie] - derby (Minor issue) NOTE: https://issues.apache.org/jira/browse/DERBY-6807 NOTE: https://svn.apache.org/viewvc?view=revision&revision=1691461 NOTE: Fixed in 10.12.1.1 CVE-2015-1831 (The default exclude patterns (excludeParams) in Apache Struts 2.3.20 a ...) - libstruts1.2-java (Affects only 2.3.20) NOTE: https://struts.apache.org/docs/s2-024.html CVE-2015-1830 (Directory traversal vulnerability in the fileserver upload/download fu ...) - activemq (Only affects activemq on Windows) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt CVE-2015-1829 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-1828 (The Ruby http gem before 0.7.3 does not verify hostnames in SSL connec ...) - ruby-http 1.0.2-2 [jessie] - ruby-http (Minor issue) NOTE: http.rb failed to call the `#post_connection_check` method on SSL connections. NOTE: This method implements hostname verification, and without it `http.rb` was NOTE: vulnerable to MitM attacks. The problem was corrected by calling NOTE: `#post_connection_check`. NOTE: Fixed by: https://github.com/httprb/http/commit/24626bfcdeda1084502575c3fbb6091c9e2815e0 CVE-2015-1827 (The get_user_grouplist function in the extdom plug-in in FreeIPA befor ...) - freeipa (Only affects 4.1, see bug #781224) NOTE: https://fedorahosted.org/freeipa/ticket/4908 CVE-2015-1826 REJECTED CVE-2015-1825 REJECTED CVE-2015-1824 REJECTED CVE-2015-1823 REJECTED CVE-2015-1822 (chrony before 1.31.1 does not initialize the last "next" pointer when ...) {DSA-3222-1 DLA-193-1} - chrony 1.30-2 (bug #782160) NOTE: Fix: http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=79eacdb7e694c7e6681b68006425df3faca51aec CVE-2015-1821 (Heap-based buffer overflow in chrony before 1.31.1 allows remote authe ...) {DSA-3222-1 DLA-193-1} - chrony 1.30-2 (bug #782160) NOTE: Fix: http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=cf19042ecb656b8afec0cc4906e7dd3ea9266ac8 CVE-2015-1820 (REST client for Ruby (aka rest-client) before 1.8.0 allows remote atta ...) - ruby-rest-client 1.6.7-6 (bug #781238) [wheezy] - ruby-rest-client (The correction introduces a dependency on a package not available in wheezy) - librestclient-ruby [wheezy] - librestclient-ruby (Vulnerability introduced in 1.6.1, wheezy has 1.6.0) [squeeze] - librestclient-ruby (Vulnerability introduced in 1.6.1, squeeze has 1.6.0) NOTE: https://github.com/rest-client/rest-client/issues/369 NOTE: Patch: https://github.com/rest-client/rest-client/pull/365.patch (will need new dependency to ruby-http-cookie) CVE-2015-1819 (The xmlreader in libxml allows remote attackers to cause a denial of s ...) {DSA-3430-1 DLA-266-1} - libxml2 2.9.2+really2.9.1+dfsg1-0.1 (low; bug #782782) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 NOTE: Concerns by Florian Weimer: https://bugzilla.gnome.org/show_bug.cgi?id=748278 CVE-2015-1818 (XML external entity (XXE) vulnerability in the dashbuilder import faci ...) NOT-FOR-US: JBoss dashbuilder CVE-2015-1817 (Stack-based buffer overflow in the inet_pton function in network/inet_ ...) - musl 1.1.5-2 (bug #781497) CVE-2015-1816 (Forman before 1.7.4 does not verify SSL certificates for LDAP connecti ...) - foreman (bug #663101) CVE-2015-1815 (The get_rpm_nvr_by_file_path_temporary function in util.py in setroubl ...) NOT-FOR-US: setroubleshoot CVE-2015-1814 (The API token-issuing service in Jenkins before 1.606 and LTS before 1 ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1813 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and L ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1812 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and L ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1811 (XML external entity (XXE) vulnerability in CloudBees Jenkins before 1. ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1810 (The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS b ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1809 (XML external entity (XXE) vulnerability in CloudBees Jenkins before 1. ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1808 (Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticate ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1807 (Directory traversal vulnerability in Jenkins before 1.600 and LTS befo ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1806 (The combination filter Groovy script in Jenkins before 1.600 and LTS b ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1805 (The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in t ...) {DSA-3290-1 DLA-246-1} - linux 3.16.2-2 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d1bec9d58d4c038d0ac958c9af82be6eb18045 (v3.16-rc1) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=637b58c2887e5e57850865839cc75f59184b23d1 (v3.15-rc1) CVE-2015-1804 (The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont b ...) {DSA-3194-1 DLA-183-1} - libxfont 1:1.5.1-1 NOTE: http://lists.x.org/archives/xorg-announce/2015-March/002550.html CVE-2015-1803 (The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont b ...) {DSA-3194-1 DLA-183-1} - libxfont 1:1.5.1-1 NOTE: http://lists.x.org/archives/xorg-announce/2015-March/002550.html CVE-2015-1802 (The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont b ...) {DSA-3194-1 DLA-183-1} - libxfont 1:1.5.1-1 NOTE: http://lists.x.org/archives/xorg-announce/2015-March/002550.html CVE-2015-1801 (The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 k ...) NOT-FOR-US: Samsung CVE-2015-1800 (The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 k ...) NOT-FOR-US: Samsung CVE-2015-1799 (The symmetric-key feature in the receive function in ntp_proto.c in nt ...) {DSA-3223-1 DLA-192-1} - ntp 1:4.2.6.p5+dfsg-6 (bug #782095) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2781 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#Authentication_doesn_t_protect_s CVE-2015-1798 (The symmetric-key feature in the receive function in ntp_proto.c in nt ...) {DSA-3223-1 DLA-192-1} - ntp 1:4.2.6.p5+dfsg-6 (bug #782095) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2779 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#ntpd_accepts_unauthenticated_pac CVE-2015-1797 REJECTED CVE-2015-1796 (The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 an ...) - libopensaml2-java (bug #780383) [jessie] - libopensaml2-java (Minor issue) NOTE: Only change between 2.6.4 and 2.6.5 seems http://svn.shibboleth.net/view/java-opensaml2/branches/REL_2/src/main/java/org/opensaml/saml2/metadata/provider/AbstractReloadingMetadataProvider.java?r1=1656&r2=1680 NOTE: http://shibboleth.net/community/advisories/secadv_20150225.txt CVE-2015-1795 (Red Hat Gluster Storage RPM Package 3.2 allows local users to gain pri ...) - glusterfs (Vulnerable code specific to glusterfs.spec and not present in source in Debian) CVE-2015-1794 (The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 b ...) - openssl 1.0.2e-1 [jessie] - openssl (Vulnerable code not present) [wheezy] - openssl (Vulnerable code not present) [squeeze] - openssl (Vulnerable code not present) NOTE: https://www.openssl.org/news/secadv/20151203.txt CVE-2015-1793 (The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0 ...) - openssl 1.0.2d-1 [jessie] - openssl (Vulnerable code not present) [wheezy] - openssl (Vulnerable code not present) [squeeze] - openssl (Vulnerable code not present) NOTE: http://openssl.org/news/secadv/20150709.txt CVE-2015-1792 (The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1791 (Race condition in the ssl3_get_new_session_ticket function in ssl/s3_c ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=98ece4eebfb6cd45cc8d550c6ac0022965071afc NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=dcad51bc13c9b716d9a66248bcc4038c071ff158 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=708cf593587e2fda67dae9782991ff9fccc781eb CVE-2015-1790 (The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL bef ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1789 (The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1788 (The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before ...) {DSA-3287-1} - openssl 1.0.2b-1 [squeeze] - openssl (Vulnerable code got introduced post 1.0.0) NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1787 (The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0. ...) - openssl (Vulnerable version never in unstable) NOTE: did affect 1.0.2 (only in experimental) and 1.0.2a was uploaded to unstable CVE-2015-1786 (Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf ...) - zendframework (the vulnerability was introduced specifically in the 2.3 series) NOTE: http://framework.zend.com/security/advisory/ZF2015-03 CVE-2015-1785 RESERVED CVE-2015-1784 RESERVED CVE-2015-1783 (The prefix variable in the get_or_define_ns function in Lasso before c ...) - lasso 2.4.1-1 [wheezy] - lasso (Vulnerable code introduced later) [squeeze] - lasso (Vulnerable code introduced later) NOTE: Upstream fix: https://repos.entrouvert.org/lasso.git/commit/lasso/xml?id=6d854cef4211cdcdbc7446c978f23ab859847cdd (v2.4.1) NOTE: Introduced by: https://repos.entrouvert.org/lasso.git/commit/lasso/xml?id=154812b401e3845977b3a4892dbc5e5a0b9d03cf (v2.4.0) CVE-2015-1782 (The kex_agree_methods function in libssh2 before 1.5.0 allows remote s ...) {DSA-3182-1 DLA-171-1} - libssh2 1.4.3-4.1 (bug #780249) NOTE: http://www.libssh2.org/adv_20150311.html CVE-2015-1781 (Buffer overflow in the gethostbyname_r and other unspecified NSS funct ...) {DSA-3480-1 DLA-230-1} [experimental] - glibc 2.21-0experimental1 - glibc 2.19-20 (bug #796105) [jessie] - glibc 2.19-18+deb8u1 - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18287 NOTE: Upstream commit: https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386 CVE-2015-1780 (oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a st ...) NOT-FOR-US: oVirt Engine backend CVE-2015-1779 (The VNC websocket frame decoder in QEMU allows remote attackers to cau ...) {DSA-3259-1} - qemu 1:2.3+dfsg-1 (bug #781250) [wheezy] - qemu (Websocket protocol support introduced in v1.4.0-rc0) [squeeze] - qemu (Websocket protocol support introduced in v1.4.0-rc0) - qemu-kvm (Websocket protocol support introduced in v1.4.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html NOTE: Original patches have problem: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04995.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=a2bebfd6e09d NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=2cdb5e142fb93 CVE-2015-1778 (The custom authentication realm used by karaf-tomcat's "opendaylight" ...) NOT-FOR-US: OpenDaylight CVE-2015-1777 (rhnreg_ks in Red Hat Network Client Tools (aka rhn-client-tools) on Re ...) - rhn-client-tools (unimportant; bug #779817) NOTE: No security impact, this tool performs a registration at Red Hat Network, NOTE: which would fail, but no practical security impact CVE-2015-1776 (Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduc ...) - hadoop (bug #793644) CVE-2015-1775 (Server-side request forgery (SSRF) vulnerability in the proxy endpoint ...) NOT-FOR-US: Apache Ambari CVE-2015-1774 (The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and ...) {DSA-3236-1} - libreoffice 1:4.4.2-1 CVE-2015-1773 (Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html ...) - flex-sdk (bug #602499) CVE-2015-1772 (The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and ...) NOT-FOR-US: Apache Hive CVE-2015-1771 (Cross-site request forgery (CSRF) vulnerability in the web application ...) NOT-FOR-US: Microsoft Exchange Server CVE-2015-1770 (Microsoft Office 2013 SP1 and 2013 RT SP1 allows remote attackers to e ...) NOT-FOR-US: Microsoft Office CVE-2015-1769 (Mount Manager in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1768 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1767 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1766 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1765 (Microsoft Internet Explorer 9 through 11 allows remote attackers to re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1764 (The web applications in Microsoft Exchange Server 2013 SP1 and Cumulat ...) NOT-FOR-US: Microsoft Exchange Server CVE-2015-1763 (Microsoft SQL Server 2008 SP3 and SP4, 2008 R2 SP2 and SP3, 2012 SP1 a ...) NOT-FOR-US: Microsoft SQL Server CVE-2015-1762 (Microsoft SQL Server 2008 SP3 and SP4, 2008 R2 SP2 and SP3, 2012 SP1 a ...) NOT-FOR-US: Microsoft SQL Server CVE-2015-1761 (Microsoft SQL Server 2008 SP3 and SP4, 2008 R2 SP2 and SP3, 2012 SP1 a ...) NOT-FOR-US: Microsoft SQL Server CVE-2015-1760 (Microsoft Office Compatibility Pack SP3, Office 2010 SP2, Office 2013 ...) NOT-FOR-US: Microsoft Office CVE-2015-1759 (Microsoft Office Compatibility Pack SP3 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Office CVE-2015-1758 (Untrusted search path vulnerability in the LoadLibrary function in the ...) NOT-FOR-US: Microsoft Windows CVE-2015-1757 (Cross-site scripting (XSS) vulnerability in adfs/ls in Active Director ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1756 (Use-after-free vulnerability in Microsoft Common Controls in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2015-1755 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1754 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1753 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1752 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1751 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1750 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1749 REJECTED CVE-2015-1748 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1747 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1746 REJECTED CVE-2015-1745 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1744 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1743 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1742 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1741 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1740 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1739 (Microsoft Internet Explorer 10 and 11 allows remote attackers to gain ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1738 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1737 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1736 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1735 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1734 REJECTED CVE-2015-1733 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1732 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1731 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1730 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1729 (Microsoft Internet Explorer 9 through 11 allows remote attackers to re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1728 (Microsoft Windows Media Player 10 through 12 allows remote attackers t ...) NOT-FOR-US: Microsoft Windows CVE-2015-1727 (Buffer overflow in the kernel-mode drivers in Microsoft Windows Server ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1726 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1725 (Buffer overflow in the kernel-mode drivers in Microsoft Windows Server ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1724 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1723 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1722 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1721 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1720 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1719 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1718 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1717 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1716 (Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Wind ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1715 (Microsoft Silverlight 5 before 5.1.40416.00 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2015-1714 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1713 (Microsoft Internet Explorer 11 allows remote attackers to gain privile ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1712 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1711 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1710 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1709 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1708 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1707 REJECTED CVE-2015-1706 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1705 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1704 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1703 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1702 (The Service Control Manager (SCM) in Microsoft Windows Server 2003 SP2 ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1701 (Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1700 (Microsoft SharePoint Server 2007 SP3, SharePoint Foundation 2010 SP2, ...) NOT-FOR-US: Microsoft CVE-2015-1699 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1698 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1697 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1696 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1695 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1694 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1693 REJECTED CVE-2015-1692 (Microsoft Internet Explorer 7 through 11 allows user-assisted remote a ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1691 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1690 REJECTED CVE-2015-1689 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1688 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1687 (Microsoft Internet Explorer 6 through 9 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1686 (The Microsoft (1) VBScript 5.6 through 5.8 and (2) JScript 5.6 through ...) NOT-FOR-US: Microsoft CVE-2015-1685 (Microsoft Internet Explorer 11 allows remote attackers to bypass the A ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1684 (VBScript.dll in the Microsoft VBScript 5.6 through 5.8 engine, as used ...) NOT-FOR-US: Microsoft CVE-2015-1683 (Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Microsoft CVE-2015-1682 (Microsoft Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2 ...) NOT-FOR-US: Microsoft CVE-2015-1681 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1680 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1679 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1678 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1677 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1676 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1675 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1674 (The kernel in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Go ...) NOT-FOR-US: Microsoft Windows CVE-2015-1673 (The Windows Forms (aka WinForms) libraries in Microsoft .NET Framework ...) NOT-FOR-US: Microsoft CVE-2015-1672 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 ...) NOT-FOR-US: Microsoft CVE-2015-1671 (The Windows DirectWrite library, as used in Microsoft .NET Framework 3 ...) NOT-FOR-US: Microsoft CVE-2015-1670 (The Windows DirectWrite library, as used in Microsoft .NET Framework 3 ...) NOT-FOR-US: Microsoft CVE-2015-1669 REJECTED CVE-2015-1668 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1667 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1666 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1665 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1664 REJECTED CVE-2015-1663 REJECTED CVE-2015-1662 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1661 (Microsoft Internet Explorer 6 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1660 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1659 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1658 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1657 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1656 REJECTED CVE-2015-1655 REJECTED CVE-2015-1654 REJECTED CVE-2015-1653 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Found ...) NOT-FOR-US: Microsoft CVE-2015-1652 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1651 (Use-after-free vulnerability in Microsoft Word 2007 SP3, Word Viewer, ...) NOT-FOR-US: Microsoft CVE-2015-1650 (Use-after-free vulnerability in Microsoft Word 2007 SP3, Office 2010 S ...) NOT-FOR-US: Microsoft CVE-2015-1649 (Use-after-free vulnerability in Microsoft Word 2007 SP3, Office 2010 S ...) NOT-FOR-US: Microsoft CVE-2015-1648 (ASP.NET in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4 ...) NOT-FOR-US: Microsoft CVE-2015-1647 (Virtual Machine Manager (VMM) in Hyper-V in Microsoft Windows 8.1 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-1646 (Microsoft XML Core Services (aka MSXML) 3.0 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2015-1645 (Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1644 (Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1643 (Microsoft Windows Server 2003 R2, Windows Vista SP2, Windows Server 20 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1642 (Microsoft Office 2007 SP3, 2010 SP2, and 2013 SP1 allows remote attack ...) NOT-FOR-US: Microsoft Office CVE-2015-1641 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-1640 (Cross-site scripting (XSS) vulnerability in Microsoft Project Server 2 ...) NOT-FOR-US: Microsoft CVE-2015-1639 (Cross-site scripting (XSS) vulnerability in Microsoft Office for Mac 2 ...) NOT-FOR-US: Microsoft CVE-2015-1638 (Microsoft Active Directory Federation Services (AD FS) 3.0 on Windows ...) NOT-FOR-US: Microsoft CVE-2015-1637 (Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Wi ...) NOT-FOR-US: Microsoft CVE-2015-1636 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Found ...) NOT-FOR-US: Microsoft CVE-2015-1635 (HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1634 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1633 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Found ...) NOT-FOR-US: Microsoft SharePoint CVE-2015-1632 (Cross-site scripting (XSS) vulnerability in errorfe.aspx in Outlook We ...) NOT-FOR-US: Microsoft CVE-2015-1631 (Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remo ...) NOT-FOR-US: Microsoft CVE-2015-1630 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in M ...) NOT-FOR-US: Microsoft CVE-2015-1629 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in M ...) NOT-FOR-US: Microsoft CVE-2015-1628 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in M ...) NOT-FOR-US: Microsoft CVE-2015-1627 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1626 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1625 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1624 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1623 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1622 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1621 (Cross-site scripting (XSS) vulnerability in the Webform prepopulate bl ...) NOT-FOR-US: Webform module for Drupal CVE-2015-1620 RESERVED CVE-2015-1619 (Cross-site scripting (XSS) vulnerability in the Secure Web Mail Client ...) NOT-FOR-US: McAfee Email Gateway CVE-2015-1618 (The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) befor ...) NOT-FOR-US: McAfee Data Loss Prevention Endpoint CVE-2015-1617 (Cross-site scripting (XSS) vulnerability in the ePO extension in McAfe ...) NOT-FOR-US: McAfee Data Loss Prevention Endpoint CVE-2015-1616 (SQL injection vulnerability in the ePO extension in McAfee Data Loss P ...) NOT-FOR-US: McAfee Data Loss Prevention Endpoint CVE-2015-1615 RESERVED CVE-2015-1613 (RhodeCode before 2.2.7 allows remote authenticated users to obtain API ...) NOT-FOR-US: RhodeCode CVE-2015-1612 (OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attac ...) NOT-FOR-US: OpenDaylight CVE-2015-1611 (OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attac ...) NOT-FOR-US: OpenDaylight CVE-2015-1610 (hosttracker in OpenDaylight l2switch allows remote attackers to change ...) NOT-FOR-US: OpenDaylight CVE-2015-1609 (MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers t ...) - mongodb 1:2.4.10-5 (bug #780129) [wheezy] - mongodb (BSONElement::validate() checks length, problematic code introduced later) [squeeze] - mongodb (BSONElement::validate() checks length (db/jsobj.cpp +589)) NOTE: https://jira.mongodb.org/browse/SERVER-17264 NOTE: Fast bson validate introduced with https://github.com/mongodb/mongo/commit/6889d1658136c753998b4a408dc8d1a3ec28e3b9 (r2.3.2) CVE-2015-1608 (Topline Opportunity Form (aka XLS Opp form) before 2015-02-15 does not ...) NOT-FOR-US: Topline Opportunity Form CVE-2015-1605 (Multiple SQL injection vulnerabilities in Dell ScriptLogic Asset Manag ...) NOT-FOR-US: Dell ScriptLogic Asset Manager CVE-2015-1602 (Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 impro ...) NOT-FOR-US: Siemens CVE-2015-1601 (Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 allow ...) NOT-FOR-US: Siemens CVE-2015-1599 (The Siemens SPCanywhere application for iOS allows physically proximat ...) NOT-FOR-US: Siemens SPCanywhere application for iOS CVE-2015-1598 (The Siemens SPCanywhere application for Android does not properly stor ...) NOT-FOR-US: Siemens SPCanywhere application for Android CVE-2015-1597 (The Siemens SPCanywhere application for Android does not use encryptio ...) NOT-FOR-US: Siemens SPCanywhere application for Android CVE-2015-1596 (The Siemens SPCanywhere application for Android and iOS does not prope ...) NOT-FOR-US: Siemens SPCanywhere application for Android CVE-2015-1595 (The Siemens SPCanywhere application for Android and iOS does not use e ...) NOT-FOR-US: Siemens SPCanywhere application for Android CVE-2015-1594 (Untrusted search path vulnerability in Siemens SIMATIC ProSave before ...) NOT-FOR-US: Siemens CVE-2015-XXXX [incorrect memory management in Gtk2::Gdk::Display::list_devices] - libgtk2-perl 2:1.2492-4 [wheezy] - libgtk2-perl 2:1.244-1+deb7u1 [squeeze] - libgtk2-perl 2:1.222-1+deb6u1 NOTE: wheezy/squeeze tagged entry as workaround/reminder for when CVE is assigned NOTE: CVE needs to be added to data/D[SL]A/list NOTE: https://mail.gnome.org/archives/gtk-perl-list/2015-January/msg00039.html NOTE: https://bugs.mageia.org/show_bug.cgi?id=15173 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/02/20/14 CVE-2015-XXXX [Linux ASLR mmap weakness: Reducing entropy by half] - linux 4.0.2-1 [jessie] - linux 3.16.7-ckt17-1 [wheezy] - linux 3.2.71-1 - linux-2.6 [squeeze] - linux-2.6 (powerpc not supported in Squeeze LTS) NOTE: http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html NOTE: arm64 affected from v3.7 to v3.18 (fixed in 3.16.7-ckt12) NOTE: powerpc affected from v2.6.30 to 3.2 (pending for 3.2.70) NOTE: Fix for arm64: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d6c763afab NOTE: Fix for ppc: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?fa8cbaaf5a68 CVE-2015-2060 (cabextract before 1.6 does not properly check for leading slashes when ...) - cabextract 1.6-1 (bug #778753) [jessie] - cabextract (Minor issue) [wheezy] - cabextract (Minor issue) [squeeze] - cabextract (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/02/18/3 NOTE: Upstream commit: http://sourceforge.net/p/libmspack/code/217 NOTE: CVE assigned for issue were path traversal occurs because the unpatched NOTE: code does neither of the following: 1) checking for slashes after decoding NOTE: 2) checking for ordinary slashes before decoding and prohibiting overlong NOTE: encodings CVE-2015-2297 (nanohttp in libcsoap allows remote attackers to cause a denial of serv ...) - libcsoap (bug #778599) [squeeze] - libcsoap (Minor issue) [wheezy] - libcsoap (Minor issue) NOTE: CVE assigned only for the null pointer dereference, not all issues in NOTE: https://www.openwall.com/lists/oss-security/2015/02/17/2 CVE-2015-2091 (The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earl ...) {DSA-3177-1 DLA-170-1} - mod-gnutls 0.6-1.3 (bug #578663) NOTE: https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2 CVE-2015-1614 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Imag ...) NOT-FOR-US: WordPress plugin image-metadata-cruncher CVE-2015-1607 (kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2 ...) [experimental] - gnupg2 2.1.2-1 - gnupg2 2.0.26-5 (bug #778577) [wheezy] - gnupg2 (Minor issue) [squeeze] - gnupg2 (Minor issue) - gnupg 1.4.18-7 (bug #778652) [wheezy] - gnupg (Too intrusive to backport; minor issue) [squeeze] - gnupg (Too intrusive to backport; minor issue) NOTE: https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392 CVE-2015-1606 (The keyring DB in GnuPG before 2.1.2 does not properly handle invalid ...) {DSA-3184-1 DLA-175-1} [experimental] - gnupg2 2.1.2-1 - gnupg2 2.0.26-5 (bug #778577) [wheezy] - gnupg2 (Minor issue) [squeeze] - gnupg2 (Minor issue) - gnupg 1.4.18-7 (bug #778652) [squeeze] - gnupg (Minor issue) NOTE: https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648 CVE-2015-1604 (Unrestricted file upload vulnerability in asys/site/files.php in Admin ...) NOT-FOR-US: Landsknecht Adminsystems CVE-2015-1603 (Multiple cross-site scripting (XSS) vulnerabilities in Adminsystems CM ...) NOT-FOR-US: Landsknecht Adminsystems CVE-2015-1600 (Information disclosure vulnerability in Netatmo Indoor Module firmware ...) NOT-FOR-US: Netatmo Weather Station CVE-2015-1588 (Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Se ...) NOT-FOR-US: Open-Xchange CVE-2015-1587 (Unrestricted file upload vulnerability in file_to_index.php in Maarch ...) NOT-FOR-US: Maarch LetterBox CVE-2015-1586 RESERVED CVE-2015-1585 (Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-si ...) NOT-FOR-US: Fat Free CRM CVE-2015-1584 RESERVED CVE-2015-1583 (Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2 ...) NOT-FOR-US: ATutor CVE-2015-1582 (Multiple cross-site scripting (XSS) vulnerabilities in the Spider Face ...) NOT-FOR-US: Spider Facebook plugin for WordPress CVE-2015-1581 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Mobi ...) NOT-FOR-US: Mobile Domain plugin for WordPress CVE-2015-1580 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Redi ...) NOT-FOR-US: Redirection Page plugin for WordPress CVE-2015-1579 (Directory traversal vulnerability in the Elegant Themes Divi theme for ...) NOT-FOR-US: Elegant Themes Divi theme for WordPress CVE-2015-1578 (Multiple open redirect vulnerabilities in u5CMS before 3.9.4 allow rem ...) NOT-FOR-US: u5CMS CVE-2015-1577 (Directory traversal vulnerability in u5admin/deletefile.php in u5CMS b ...) NOT-FOR-US: u5CMS CVE-2015-1576 (Multiple SQL injection vulnerabilities in u5CMS before 3.9.4 allow rem ...) NOT-FOR-US: u5CMS CVE-2015-1575 (Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3. ...) NOT-FOR-US: u5CMS CVE-2015-1574 (The Google Email application 4.2.2.0200 for Android allows remote atta ...) NOT-FOR-US: Google Email application for Android CVE-2015-1593 (The stack randomization feature in the Linux kernel before 3.19.1 on 6 ...) {DSA-3170-1 DLA-155-1} - linux 3.16.7-ckt7-1 - linux-2.6 NOTE: http://hmarco.org/bugs/linux-ASLR-integer-overflow.html NOTE: https://lkml.org/lkml/2015/2/14/61 CVE-2015-1592 (Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and ...) {DSA-3183-1} - movabletype-opensource [squeeze] - movabletype-opensource (Not supported in Squeeze LTS) NOTE: https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/2 CVE-2015-1572 (Heap-based buffer overflow in closefs.c in the libext2fs library in e2 ...) {DSA-3166-1 DLA-162-1} - e2fsprogs 1.42.12-1.1 (bug #778948) NOTE: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73 CVE-2015-1571 (** DISPUTED ** The CAPWAP DTLS protocol implementation in Fortinet For ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-1570 (The Endpoint Control protocol implementation in Fortinet FortiClient 5 ...) NOT-FOR-US: Fortinet FortiClient CVE-2015-1569 (Fortinet FortiClient 5.2.028 for iOS does not validate certificates, w ...) NOT-FOR-US: Fortinet FortiClient CVE-2015-2305 (Integer overflow in the regcomp implementation in the Henry Spencer BS ...) {DSA-3195-1 DLA-444-1 DLA-233-1} - php5 5.6.6+dfsg-1 (low; bug #778389) - olsrd (only when building on Android, see bug #778390) - llvm-toolchain-3.4 (low; bug #778391) [jessie] - llvm-toolchain-3.4 (Minor issue) - llvm-toolchain-3.5 1:3.5.2-2 (low; bug #778392) [jessie] - llvm-toolchain-3.5 (Minor issue) - llvm-toolchain-3.6 1:3.6-1 (bug #778393) - llvm-toolchain-3.7 1:3.7~+rc3-1 - llvm-toolchain-snapshot 1:3.8~svn245286-1 (bug #778394) - haskell-regex-posix (only when building on Windows, see bug #778395) - cups (Local regex copy only used when building on Windows, see #778396) - librcsb-core-wrapper 1.005-3 (bug #778397) - openrpt (unimportant; bug #778398) - z88dk (Local regex copy only used when building on Windows, see bug #778399) - newlib 2.0.0-1 (bug #778408) [squeeze] - newlib (Minor issue) [wheezy] - newlib (Minor issue) - yap 6.2.2-3 (low; bug #778410) [jessie] - yap (Minor issue) [squeeze] - yap (Minor issue) [wheezy] - yap (Minor issue) - vnc4 4.1.1+X4.3.0+t-1 (unimportant; bug #778403) NOTE: affected code not built in vnc4, starting with 4.1.1+X4.3.0+t-1 it's a transitional package - sma (Local regex copy only used when building on Windows, see #778411) - clamav 0.98.7+dfsg-1 (unimportant; bug #778406) [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 [squeeze] - clamav 0.98.7+dfsg-0+deb6u1 NOTE: Only exploitable through virusdb updates, which need to be trusted anywaya - knews (Uses system regex code, see #778401) - radare2 0.10.5+dfsg-1 (low; bug #778402) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) - efl (Only used when building on Windows, see #778414) - ptlib (unimportant; bug #778404) NOTE: ptlib uses the regex code from glibc, local fallback code not used - alpine (alpine uses the regex code from glibc, local fallback code not used, bug #778413) - vigor 0.016-24 (unimportant; bug #778409) [wheezy] - vigor 0.016-19+deb7u1 - nvi 1.81.6-13 (unimportant; bug #778412) NOTE: No security impact in nvi/vigor and openrpt NOTE: http://www.kb.cert.org/vuls/id/695940 NOTE: https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ NOTE: https://www.openwall.com/lists/oss-security/2015/02/16/8 CVE-2015-XXXX [insecure storage of password in the NUT-monitor app] - nut 2.7.2-2 (low; bug #777706) [wheezy] - nut (Minor issue) [squeeze] - nut (Minor issue) CVE-2015-1881 (OpenStack Image Registry and Delivery Service (Glance) 2014.2 through ...) - glance (Only affects 2014.2.x releases, only present in experimental) [wheezy] - glance (Vulnerable code not present) NOTE: https://review.openstack.org/#/c/156553 CVE-2015-1877 (The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 ...) {DSA-3165-1 DLA-217-1} - xdg-utils 1.1.0~rc1+git20111210-7.4 (bug #777722) CVE-2015-1568 (Cross-site request forgery (CSRF) vulnerability in the GD Infinite Scr ...) NOT-FOR-US: Drupal module GD Infinite Scroll CVE-2015-1567 (Cross-site scripting (XSS) vulnerability in the admin page in the GD I ...) NOT-FOR-US: Drupal module GD Infinite Scroll CVE-2015-1566 (Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 7. ...) NOT-FOR-US: DotNetNuke CVE-2015-1565 (Cross-site scripting (XSS) vulnerability in the online help in Hitachi ...) NOT-FOR-US: Hitachi CVE-2015-1564 (Cross-site scripting (XSS) vulnerability in style-underground/search i ...) NOT-FOR-US: Plain Black WebGUI CVE-2015-1562 (Multiple cross-site scripting (XSS) vulnerabilities in Saurus CMS 4.7. ...) NOT-FOR-US: Saurus CMS CVE-2015-1561 (The escape_command function in include/Administration/corePerformance/ ...) - centreon-web (bug #913903) CVE-2015-1560 (SQL injection vulnerability in the isUserAdmin function in include/com ...) - centreon-web (bug #913903) CVE-2015-1559 (Multiple cross-site request forgery (CSRF) vulnerabilities in administ ...) NOT-FOR-US: Epignosis eFront CVE-2015-1557 RESERVED CVE-2015-1556 RESERVED CVE-2015-1555 (Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3. ...) - zendframework (Vulnerable code not present) NOTE: http://framework.zend.com/security/advisory/ZF2015-01 CVE-2015-1553 RESERVED CVE-2015-1552 RESERVED CVE-2015-1551 (Directory traversal vulnerability in Aruba Networks ClearPass Policy M ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-1550 (Directory traversal vulnerability in Aruba Networks ClearPass Policy M ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-1549 RESERVED CVE-2015-1548 (mini_httpd 1.21 and earlier allows remote attackers to obtain sensitiv ...) - mini-httpd 1.21-1 (bug #778925) [squeeze] - mini-httpd (Minor issue) [wheezy] - mini-httpd (Minor issue) CVE-2015-1544 RESERVED CVE-2015-1543 RESERVED CVE-2015-1542 RESERVED CVE-2015-1541 (The AppWidgetServiceImpl implementation in com/android/server/appwidge ...) NOT-FOR-US: Android CVE-2015-1540 RESERVED CVE-2015-1539 (Multiple integer underflows in the ESDS::parseESDescriptor function in ...) NOT-FOR-US: libstagefright in Android CVE-2015-1538 (Integer overflow in the SampleTable::setSampleToChunkParams function i ...) NOT-FOR-US: libstagefright in Android CVE-2015-1537 (Integer overflow in IHDCP.cpp in the media_server component in Android ...) NOT-FOR-US: Android CVE-2015-1536 (Integer overflow in the Bitmap_createFromParcel function in core/jni/a ...) NOT-FOR-US: Android CVE-2015-1535 RESERVED CVE-2015-1534 RESERVED CVE-2015-1533 RESERVED CVE-2015-1532 RESERVED CVE-2015-1531 RESERVED CVE-2015-1530 (media/libmedia/IAudioPolicyService.cpp in Android before 5.1 allows at ...) NOT-FOR-US: Android CVE-2015-1529 (Integer overflow in soundtrigger/ISoundTriggerHwService.cpp in Android ...) NOT-FOR-US: Android CVE-2015-1528 (Integer overflow in the native_handle_create function in libcutils/nat ...) NOT-FOR-US: Android CVE-2015-1527 (Integer overflow in IAudioPolicyService.cpp in Android allows local us ...) NOT-FOR-US: Android CVE-2015-1526 (The media_server component in Android allows remote attackers to cause ...) NOT-FOR-US: Android CVE-2015-1525 (audio/AudioPolicyManagerBase.cpp in Android before 5.1 allows attacker ...) NOT-FOR-US: Android CVE-2015-1524 RESERVED CVE-2015-1523 RESERVED CVE-2015-1522 (analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not reject cer ...) - bro 2.3.2+dfsg-1 CVE-2015-1521 (analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not properly h ...) - bro 2.3.2+dfsg-1 CVE-2015-1520 RESERVED CVE-2015-1519 RESERVED CVE-2015-1518 (SQL injection vulnerability in the search_post function in includes/se ...) NOT-FOR-US: Redaxscript CVE-2015-1517 (SQL injection vulnerability in Piwigo before 2.7.4, when all filters a ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2015-1516 (Cross-site scripting (XSS) vulnerability in Polycom RealPresence Cloud ...) NOT-FOR-US: Polycom CVE-2015-1515 (The dwall.sys driver in SoftSphere DefenseWall Personal Firewall 3.24 ...) NOT-FOR-US: SoftSphere CVE-2015-1514 (Multiple SQL injection vulnerabilities in FancyFon FAMOC before 3.17.4 ...) NOT-FOR-US: FancyFon FAMOC CVE-2015-1513 (SQL injection vulnerability in SIPhone Enterprise PBX allows remote at ...) NOT-FOR-US: SIPhone Enterprise PBX CVE-2015-1512 (Multiple cross-site scripting (XSS) vulnerabilities in FancyFon FAMOC ...) NOT-FOR-US: FancyFon FAMOC CVE-2015-1511 RESERVED CVE-2015-1510 RESERVED CVE-2015-1509 RESERVED CVE-2015-1508 RESERVED CVE-2015-1507 RESERVED CVE-2015-1506 RESERVED CVE-2015-1505 RESERVED CVE-2015-1504 RESERVED CVE-2015-1503 (Multiple directory traversal vulnerabilities in IceWarp Mail Server be ...) NOT-FOR-US: Icewarp mail server CVE-2015-1502 RESERVED CVE-2015-1501 (The factory.loadExtensionFactory function in TSUnicodeGraphEditorContr ...) NOT-FOR-US: SolarWinds CVE-2015-1500 (Multiple stack-based buffer overflows in the TSUnicodeGraphEditorContr ...) NOT-FOR-US: SolarWinds CVE-2015-1499 (The ActiveMQ Broker in Samsung Security Manager (SSM) before 1.31 allo ...) NOT-FOR-US: Samsung Security Manager CVE-2015-1498 (Persistent Systems Radia Client Automation does not properly restrict ...) NOT-FOR-US: Persistent Systems Radia Client Automation CVE-2015-1497 (radexecd.exe in Persistent Systems Radia Client Automation (RCA) 7.9, ...) NOT-FOR-US: Persistent Systems Radia Client Automation CVE-2015-1496 (Motorola Scanner SDK uses weak permissions for (1) CoreScanner.exe, (2 ...) NOT-FOR-US: Motorola Scanner SDK CVE-2015-1495 (Multiple stack-based buffer overflows in Motorola Scanner SDK allow re ...) NOT-FOR-US: Motorola Scanner SDK CVE-2015-1494 (The FancyBox for WordPress plugin before 3.0.3 for WordPress does not ...) NOT-FOR-US: FancyBox plugin for WordPress CVE-2015-1492 (Untrusted search path vulnerability in the client in Symantec Endpoint ...) NOT-FOR-US: Symantec CVE-2015-1491 (SQL injection vulnerability in the management console in Symantec Endp ...) NOT-FOR-US: Symantec CVE-2015-1490 (Directory traversal vulnerability in the management console in Symante ...) NOT-FOR-US: Symantec CVE-2015-1489 (The management console in Symantec Endpoint Protection Manager (SEPM) ...) NOT-FOR-US: Symantec CVE-2015-1488 (An unspecified action handler in the management console in Symantec En ...) NOT-FOR-US: Symantec CVE-2015-1487 (The management console in Symantec Endpoint Protection Manager (SEPM) ...) NOT-FOR-US: Symantec CVE-2015-1486 (The management console in Symantec Endpoint Protection Manager (SEPM) ...) NOT-FOR-US: Symantec CVE-2015-1485 (Cross-site request forgery (CSRF) vulnerability in the administration ...) NOT-FOR-US: Enforce Server in Symantec Data Loss Prevention CVE-2015-1484 (Unquoted Windows search path vulnerability in the agent in Symantec Wo ...) NOT-FOR-US: Symantec Workspace Streaming CVE-2015-1483 (Symantec NetBackup OpsCenter 7.6.0.2 through 7.6.1 on Linux and UNIX a ...) NOT-FOR-US: Symantec NetBackup OpsCenter CVE-2015-1573 (The nft_flush_table function in net/netfilter/nf_tables_api.c in the L ...) - linux (Vulnerable code introduced in v3.18-rc1, never in the archive outside of experimental) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac (v3.19-rc5) NOTE: Introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9ac12ef099707f405d7478009564302d7ed8393 (v3.18-rc1) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=91441 CVE-2015-2046 (Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later ...) - mantis [wheezy] - mantis (Minor issue) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: Upstream patch: https://github.com/mantisbt/mantisbt/commit/6defeed5 (1.2.x) NOTE: https://www.mantisbt.org/bugs/view.php?id=19301 NOTE: https://www.openwall.com/lists/oss-security/2015/02/09/10 NOTE: CVE for specific portion of the original May 2014 adm_config_report.php discovery NOTE: that remains present in version 1.2.18 and 1.2.19 CVE-2015-XXXX [fails to detect silent driver failure to change MAC] - macchanger 1.7.0-5.3 (bug #774898) [wheezy] - macchanger (Minor issue) [squeeze] - macchanger (Minor issue) CVE-2015-9101 (The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3. ...) - lame 3.99.5+repack1-6 (bug #777161) [wheezy] - lame 3.99.5+repack1-3+deb7u1 [squeeze] - lame (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/8 CVE-2015-9100 (The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3. ...) - lame 3.99.5+repack1-6 (bug #777160) [wheezy] - lame 3.99.5+repack1-3+deb7u1 [squeeze] - lame (minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/8 CVE-2015-9099 (The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 ...) - lame 3.99.5+repack1-6 (bug #775959) [wheezy] - lame 3.99.5+repack1-3+deb7u1 [squeeze] - lame (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/8 CVE-2015-XXXX [denial of service under memory stress] - libhtp 1:0.5.25-1 (bug #777522) [squeeze] - libhtp (Minor issue) [wheezy] - libhtp (Minor issue) NOTE: https://github.com/inliniac/libhtp/commit/c7c03843cd6b1cbf44eb435d160ba53aec948828 CVE-2015-2058 (c2s/c2s.c in Jabber Open Source Server 2.3.2 and earlier truncates dat ...) - jabberd2 2.3.3-1 (bug #779154) NOTE: https://github.com/jabberd2/jabberd2/issues/85 NOTE: https://www.openwall.com/lists/oss-security/2015/02/09/13 CVE-2015-2059 (The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in ...) {DSA-3578-1 DLA-476-1 DLA-277-1} - libidn 1.31-1 (medium) NOTE: https://www.openwall.com/lists/oss-security/2015/02/23/25 NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e NOTE: This could be attributed to a misuse of a (poorly documented) API NOTE: but since upstream provided a patch it makes more sense to fix NOTE: only libidn instead of every application using it CVE-2015-1545 (The deref_parseCtrl function in servers/slapd/overlays/deref.c in Open ...) {DSA-3209-1 DLA-203-1} - openldap 2.4.40-4 (bug #776988) [wheezy] - openldap (Minor issue) [squeeze] - openldap (Minor issue) NOTE: http://www.openldap.org/its/?findid=8027 NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=c32e74763f77675b9e144126e375977ed6dc562c CVE-2015-1546 (Double free vulnerability in the get_vrFilter function in servers/slap ...) - openldap 2.4.40-4 (bug #776991) [wheezy] - openldap (Regression introduced in 2.4.40) [squeeze] - openldap (Regression introduced in 2.4.40) NOTE: http://www.openldap.org/its/?findid=8046 NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a CVE-2015-2785 (The GIF encoder in Byzanz allows remote attackers to cause a denial of ...) - byzanz (unimportant; bug #778261) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=852481 NOTE: https://www.openwall.com/lists/oss-security/2015/02/06/11 NOTE: Only applies to debug recordings, negligable security impact CVE-2015-8837 (Stack-based buffer overflow in the isofs_real_readdir function in isof ...) {DSA-3551-1 DLA-323-1} - fuseiso 20070708-3.2 (bug #779047) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=863091 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=862211 NOTE: https://www.openwall.com/lists/oss-security/2015/02/06/7 CVE-2015-8836 (Integer overflow in the isofs_real_read_zf function in isofs.c in Fuse ...) {DSA-3551-1 DLA-323-1} - fuseiso 20070708-3.2 (bug #779047) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=863102 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=861358 NOTE: https://www.openwall.com/lists/oss-security/2015/02/06/7 CVE-2015-1547 (The NeXTDecode function in tif_next.c in LibTIFF allows remote attacke ...) {DSA-3273-1 DLA-610-1 DLA-221-1} - tiff 4.0.3-12.1 (bug #777390) - tiff3 NOTE: http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif NOTE: fix in https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1547 NOTE: is applied in 4.0.3-13 (but please recheck this) NOTE: Raphael Hertzog> I could not find a way to reliably use the above reproducer. No segfault. And valgrind on "xloadimage" spits lots of warnings about use of uninitialized values with a good file and with the reproducer. NOTE: Still this CVE has been added to DLA-221-1 because the patch used for CVE-2014-9655 seems to include the fix for this CVE. CVE-2015-1482 (Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to ...) NOT-FOR-US: Ansible Tower CVE-2015-1481 (Ansible Tower (aka Ansible UI) before 2.0.5 allows remote organization ...) NOT-FOR-US: Ansible Tower CVE-2015-1480 (ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows ...) NOT-FOR-US: ZOHO ManageEngine ServiceDesk Plus CVE-2015-1479 (SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO M ...) NOT-FOR-US: ZOHO ManageEngine ServiceDesk Plus CVE-2015-1478 (Cross-site scripting (XSS) vulnerability in the CMSJunkie J-Classified ...) NOT-FOR-US: Joomla! plugin CMSJunkie J-ClassifiedsManager CVE-2015-1477 (SQL injection vulnerability in the CMSJunkie J-ClassifiedsManager comp ...) NOT-FOR-US: Joomla! plugin CMSJunkie J-ClassifiedsManager CVE-2015-1476 (Multiple SQL injection vulnerabilities in xlinkerz ecommerceMajor allo ...) NOT-FOR-US: xlinkerz ecommerceMajor CVE-2015-1475 (Multiple cross-site scripting (XSS) vulnerabilities in my little forum ...) NOT-FOR-US: My Little Forum CVE-2015-1474 (Multiple integer overflows in the GraphicBuffer::unflatten function in ...) NOT-FOR-US: Android CVE-2015-1471 (SQL injection vulnerability in userprofile.lib.php in Pragyan CMS 3.0 ...) NOT-FOR-US: Pragyan CMS CVE-2015-1470 RESERVED CVE-2015-1469 (time.htm in the web interface on SerVision HVG Video Gateway devices w ...) NOT-FOR-US: SerVision HVG Video Gateway CVE-2015-1468 RESERVED CVE-2015-1467 (Multiple SQL injection vulnerabilities in Translations in Fork CMS bef ...) NOT-FOR-US: Fork CMS CVE-2015-1466 RESERVED CVE-2015-1464 (RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows ...) {DSA-3176-1 DLA-158-1} - request-tracker4 4.2.8-3 - request-tracker3.8 CVE-2015-1463 (ClamAV before 0.98.6 allows remote attackers to cause a denial of serv ...) {DLA-233-1} - clamav 0.98.6+dfsg-1 [wheezy] - clamav 0.98.6+dfsg-0+deb7u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/96ff19a19eba64bdf47f2f12ecdbc5ee331c09e2 CVE-2015-1462 (ClamAV before 0.98.6 allows remote attackers to have unspecified impac ...) {DLA-233-1} - clamav 0.98.6+dfsg-1 [wheezy] - clamav 0.98.6+dfsg-0+deb7u1 CVE-2015-1461 (ClamAV before 0.98.6 allows remote attackers to have unspecified impac ...) {DLA-233-1} - clamav 0.98.6+dfsg-1 [wheezy] - clamav 0.98.6+dfsg-0+deb7u1 CVE-2015-1460 (Huawei Quidway switches with firmware before V200R005C00SPC300 allows ...) NOT-FOR-US: Huawei Quidway switches CVE-2015-1459 (Cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticato ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1458 (Fortinet FortiAuthenticator 3.0.0 allows local users to bypass intende ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1457 (Fortinet FortiAuthenticator 3.0.0 allows local users to read arbitrary ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1456 (Fortinet FortiAuthenticator 3.0.0 logs the PostgreSQL usernames and pa ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1455 (Fortinet FortiAuthenticator 3.0.0 has a password of (1) slony for the ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1454 (Blue Coat ProxyClient before 3.3.3.3 and 3.4.x before 3.4.4.10 and Uni ...) NOT-FOR-US: Blue Coat ProxyClient and Unified Agent CVE-2015-1453 (The qm class in Fortinet FortiClient 5.2.3.091 for Android uses a hard ...) NOT-FOR-US: Fortinet FortiClient CVE-2015-1452 (The Control and Provisioning of Wireless Access Points (CAPWAP) daemon ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-1451 (Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiO ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-1450 (SQL injection vulnerability in Restaurant Biller allows remote attacke ...) NOT-FOR-US: Restaurant Biller CVE-2015-1449 (Buffer overflow in the integrated web server on Siemens Ruggedcom WIN5 ...) NOT-FOR-US: Siemens Ruggedcom CVE-2015-1448 (The integrated management service on Siemens Ruggedcom WIN51xx devices ...) NOT-FOR-US: Siemens Ruggedcom CVE-2015-1447 RESERVED CVE-2015-1446 RESERVED CVE-2015-1445 (HTTP header injection in the httpd package in fli4l before 3.10.1 and ...) NOT-FOR-US: fli4l CVE-2015-1444 (Multiple cross-site scripting (XSS) vulnerabilities in the web adminis ...) NOT-FOR-US: fli4l CVE-2015-1443 (The httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30 all ...) NOT-FOR-US: fli4l CVE-2015-1442 (SQL injection vulnerability in views/zero_transact_user.php in the adm ...) NOT-FOR-US: ZeroCMS CVE-2015-1440 RESERVED CVE-2015-1439 RESERVED CVE-2015-1438 (Heap-based buffer overflow in Panda Security Kernel Memory Access Driv ...) NOT-FOR-US: Panda CVE-2015-1437 (Multiple cross-site scripting (XSS) vulnerabilities in Asus RT-N10+ D1 ...) NOT-FOR-US: Asus RT-N10+ D1 router CVE-2015-1436 (Cross-site scripting (XSS) vulnerability in the Easing Slider plugin b ...) NOT-FOR-US: Easing Slider plugin for WordPress CVE-2015-1435 (Cross-site scripting (XSS) vulnerability in my little forum before 2.3 ...) NOT-FOR-US: Little forum CVE-2015-1434 (Multiple SQL injection vulnerabilities in my little forum before 2.3.4 ...) NOT-FOR-US: Little forum CVE-2015-1429 (Directory traversal vulnerability in Cybele Software Thinfinity Remote ...) NOT-FOR-US: Cybele Software Thinfinity Remote Desktop Workstation CVE-2015-1428 (Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow ...) NOT-FOR-US: Sefrengo CVE-2015-1427 (The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x be ...) - elasticsearch (Affects 1.3.0-1.3.7 and 1.4.0-1.4.2, vulnerable code not present) NOTE: http://seclists.org/bugtraq/2015/Feb/92 NOTE: Problem in the Groovy scripting engine. CVE-2015-1426 (Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains s ...) - facter 2.4.4-1 (bug #778265) [jessie] - facter (Minor issue) [squeeze] - facter (Uses version 2008-02-01 of the EC2 API which does not expose security credentials) [wheezy] - facter (Minor issue) NOTE: http://puppetlabs.com/security/cve/cve-2015-1426 NOTE: https://tickets.puppetlabs.com/browse/FACT-800 NOTE: The assessment for Squeeze being unaffected is based on the fact that the code accesses http://169.254.169.254/2008-02-01/meta-data/ and that http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html mentions the iam/security-credentials/role key as being introduced in version 2012-01-12. CVE-2015-1493 (Directory traversal vulnerability in the min_get_slash_argument functi ...) - moodle 2.7.5+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git;a=commit;h=af9a7937cc085f96bdbc4724cadec6eeae0242fc CVE-2015-XXXX [Invalid read in ensure_filepath] - libmspack 0.5-1 - cabextract 1.4-5 [wheezy] - cabextract (Minor issue) [squeeze] - cabextract (Minor issue) NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/02/03/12 NOTE: Starting with 1.4-5 cabextract uses the mspack system library CVE-2015-XXXX [Invalid read in create_output_name] - libmspack 0.5-1 - cabextract 1.4-5 [wheezy] - cabextract (Minor issue) [squeeze] - cabextract (Minor issue) NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/02/03/12 NOTE: Starting with 1.4-5 cabextract uses the mspack system library CVE-2015-1465 (The IPv4 implementation in the Linux kernel before 3.18.8 does not pro ...) - linux 3.16.7-ckt7-1 [wheezy] - linux (Introduced in 3.16) - linux-2.6 (Introduced in 3.16) NOTE: Upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df4d92549f23e1c037e83323aff58a21b3de7fe0 (v3.19-rc7) NOTE: https://www.openwall.com/lists/oss-security/2015/02/02/2 CVE-2015-1473 (The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka gli ...) {DSA-3169-1 DLA-165-1} - glibc 2.19-15 (bug #777197) - eglibc [squeeze] - eglibc (Vulnerable code not present) NOTE: Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=16618 NOTE: Fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 NOTE: This was introduced by https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0 (2.15), NOTE: the patch was backported into wheezy (patches/any/cvs-vfscanf.diff), but not squeeze CVE-2015-1472 (The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka gli ...) {DSA-3169-1 DLA-165-1} - glibc 2.19-15 (bug #777197) - eglibc [squeeze] - eglibc (Vulnerable code not present) NOTE: Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=16618 NOTE: Fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 NOTE: This was introduced by https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0 (2.15), NOTE: the patch was backported into wheezy (patches/any/cvs-vfscanf.diff), but not squeeze CVE-2015-XXXX [Infinite loop in patch] - patch 2.7.4-1 (low; bug #776271) [squeeze] - patch (Minor issue) [wheezy] - patch (Minor issue) NOTE: Different from CVE-2014-9637 CVE-2015-1441 (SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5 ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 NOTE: http://piwigo.org/releases/2.7.3 CVE-2015-1433 (program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does ...) {DLA-613-1} - roundcube 0.9.5+dfsg1-4.2 (low; bug #776700) [wheezy] - roundcube (Minor issue) [squeeze] - roundcube (Minor issue) CVE-2015-1432 (The message_options function in includes/ucp/ucp_pm_options.php in php ...) - phpbb3 3.0.12-4 (low; bug #776699) [wheezy] - phpbb3 3.0.10-4+deb7u2 [squeeze] - phpbb3 (Minor issue) NOTE: https://tracker.phpbb.com/browse/PHPBB3-13526 CVE-2015-1431 (Cross-site scripting (XSS) vulnerability in includes/startup.php in ph ...) - phpbb3 3.0.12-4 (low; bug #776699) [wheezy] - phpbb3 3.0.10-4+deb7u2 [squeeze] - phpbb3 (Minor issue) NOTE: https://tracker.phpbb.com/browse/PHPBB3-13531 CVE-2015-1430 (Buffer overflow in xymon 4.3.17-1. ...) - xymon 4.3.17-5 (low; bug #776007) [squeeze] - xymon (Vulnerable code not present) [wheezy] - xymon (Vulnerable code not present) NOTE: Upstream patch: http://sourceforge.net/p/xymon/code/7483/ NOTE: https://www.openwall.com/lists/oss-security/2015/01/30/17 CVE-2015-1425 (JAKWEB Gecko CMS has Multiple Input Validation Vulnerabilities ...) NOT-FOR-US: JAKWEB Gecko CMS CVE-2015-1424 (Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2 ...) NOT-FOR-US: Gecko CMS CVE-2015-1423 (Multiple SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 allow ...) NOT-FOR-US: Gecko CMS CVE-2015-1422 (Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 a ...) NOT-FOR-US: Gecko CMS CVE-2015-XXXX [symlink directory traversal] - unrar-nonfree 1:5.2.7-0.1 (bug #774171) [wheezy] - unrar-nonfree 1:4.1.4-1+deb7u1 [squeeze] - unrar-nonfree (Non-free not supported) CVE-2015-1589 (Directory traversal vulnerability in arCHMage 0.2.4 allows remote atta ...) - archmage 1:0.2.4-4 (bug #776164) [squeeze] - archmage (Minor issue) [wheezy] - archmage (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/9 CVE-2015-1419 (Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote at ...) - vsftpd 3.0.2-18 (unimportant; bug #776922) [jessie] - vsftpd 3.0.2-17+deb8u1 NOTE: http://seclists.org/oss-sec/2015/q1/389 NOTE: Not a real security feature according the manpage and upstream CVE-2015-1418 (The do_ed_script function in pch.c in GNU patch through 2.7.6, and pat ...) NOT-FOR-US: patch as used in FreeBSD specifically CVE-2015-1417 (The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, 10.2-BETA2-p2 ...) - kfreebsd-10 10.2-1 (unimportant) NOTE: kfreebsd not covered by security support in Jessie CVE-2015-1416 (Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 ...) - patch 2.5-1 NOTE: https://www.openwall.com/lists/oss-security/2015/08/02/6 NOTE: CVE assignment applies as well to GNU patch before 2.3 and 2.2.5 CVE-2015-1415 (The bsdinstall installer in FreeBSD 10.x before 10.1 p9, when configur ...) NOT-FOR-US: FreeBSD installer CVE-2015-1414 (Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 b ...) {DSA-3175-2 DSA-3175-1} [experimental] - kfreebsd-11 11.0~svn284956-1 - kfreebsd-10 10.1~svn274115-4 (bug #779195) - kfreebsd-9 (bug #779201) - kfreebsd-8 (bug #779202) [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, will be fixed in a point update) [squeeze] - kfreebsd-8 (kfreebsd-i386/amd64 not supported in Squeeze LTS) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc CVE-2015-1413 RESERVED CVE-2015-1412 RESERVED CVE-2015-1411 RESERVED CVE-2015-1410 RESERVED CVE-2015-1409 RESERVED CVE-2015-1408 RESERVED CVE-2015-1407 RESERVED CVE-2015-1406 RESERVED CVE-2015-1400 (SQL injection vulnerability in search.php in NPDS Revolution 13 allows ...) NOT-FOR-US: NPDS Revolution CVE-2015-1399 (PHP remote file inclusion vulnerability in the fetchView function in t ...) NOT-FOR-US: Magento CVE-2015-1398 (Multiple directory traversal vulnerabilities in Magento Community Edit ...) NOT-FOR-US: Magento CVE-2015-1397 (SQL injection vulnerability in the getCsvFile function in the Mage_Adm ...) NOT-FOR-US: Magento CVE-2015-1394 (Multiple cross-site scripting (XSS) vulnerabilities in the Photo Galle ...) NOT-FOR-US: WordPress plugin photo-gallery CVE-2015-1393 (SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 ...) NOT-FOR-US: WordPress plugin photo-gallery CVE-2015-1392 (Multiple SQL injection vulnerabilities in Aruba Networks ClearPass Pol ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-1391 RESERVED CVE-2015-1390 RESERVED CVE-2015-1389 (Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass P ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-1388 (The "RAP console" feature in ArubaOS 5.x through 6.2.x, 6.3.x before 6 ...) NOT-FOR-US: ArubaOS CVE-2015-1387 REJECTED CVE-2015-1385 (Cross-site scripting (XSS) vulnerability in the Blubrry PowerPress Pod ...) NOT-FOR-US: WordPress plugin powerpress CVE-2015-1384 (Cross-site scripting (XSS) vulnerability in the Banner Effect Header p ...) NOT-FOR-US: Banner Effect Header plugin for WordPress CVE-2015-1383 (Cross-site scripting (XSS) vulnerability in the geo search widget in t ...) NOT-FOR-US: WordPress plugin geo-mashup CVE-2015-1376 (pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPre ...) NOT-FOR-US: WordPress plugin Pixabay Images CVE-2015-1375 (pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPre ...) NOT-FOR-US: WordPress plugin Pixabay Images CVE-2015-1374 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin.ph ...) NOT-FOR-US: ferretCMS CVE-2015-1373 (Multiple cross-site scripting (XSS) vulnerabilities in admin.php in fe ...) NOT-FOR-US: ferretCMS CVE-2015-1372 (SQL injection vulnerability in ferretCMS 1.0.4-alpha allows remote att ...) NOT-FOR-US: ferretCMS CVE-2015-1371 (Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows ...) NOT-FOR-US: ferretCMS CVE-2015-1368 (Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower ( ...) NOT-FOR-US: Ansible Tower CVE-2015-1367 (SQL injection vulnerability in index.php in CatBot 0.4.2 allows remote ...) NOT-FOR-US: CatBot CVE-2015-1366 (Cross-site scripting (XSS) vulnerability in pixabay-images.php in the ...) NOT-FOR-US: Wordpress plugin Pixabay Images CVE-2015-1365 (Directory traversal vulnerability in pixabay-images.php in the Pixabay ...) NOT-FOR-US: Wordpress plugin Pixabay Images CVE-2015-1364 (SQL injection vulnerability in the getProfile function in system/profi ...) NOT-FOR-US: Free Reprintables ArticleFR CVE-2015-1363 (Cross-site scripting (XSS) vulnerability in Free Reprintables ArticleF ...) NOT-FOR-US: ArticleFR CVE-2015-1362 (Buffer overflow in the Customize 35mm tab in Two Pilots Exif Pilot 4.7 ...) NOT-FOR-US: Exif Pilot CVE-2015-1361 (platform/image-decoders/ImageFrame.h in Blink, as used in Google Chrom ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1360 (Skia, as used in Google Chrome before 40.0.2214.91, allows remote atta ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1359 (Multiple off-by-one errors in fpdfapi/fpdf_font/font_int.h in PDFium, ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1358 (The remote-management module in the (1) Multi Panels, (2) Comfort Pane ...) NOT-FOR-US: Siemens SIMATIC CVE-2015-1357 (Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, ...) NOT-FOR-US: Siemens Ruggedcom CVE-2015-1356 (Siemens SIMATIC STEP 7 (TIA Portal) before 13 SP1 determines a user's ...) NOT-FOR-US: Siemens SIMATIC CVE-2015-1355 (Siemens SIMATIC STEP 7 (TIA Portal) before 13 SP1 uses a weak password ...) NOT-FOR-US: Siemens SIMATIC CVE-2015-1563 (The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows l ...) - xen 4.4.1-7 (low; bug #776319) [wheezy] - xen (Only affects 4.4 and later on arm) [squeeze] - xen (Only affects 4.4 and later on arm) CVE-2015-1558 (Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when u ...) - asterisk 1:13.1.0~dfsg-1.1 (bug #780601) [jessie] - asterisk (Only affects 12.x and 13.x) [wheezy] - asterisk (Only affects 12.x and 13.x) [squeeze] - asterisk (Only affects 12.x and 13.x) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24666 NOTE: http://downloads.digium.com/pub/security/AST-2015-001.html CVE-2015-1421 (Use-after-free vulnerability in the sctp_assoc_update function in net/ ...) {DSA-3170-1 DLA-155-1} - linux 3.16.7-ckt4-3 - linux-2.6 NOTE: Upstream fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=600ddd6825543962fb807884169e57b580dba208 CVE-2015-1420 (Race condition in the handle_to_path function in fs/fhandle.c in the L ...) {DSA-3170-1} - linux 3.16.7-ckt7-1 - linux-2.6 (Introduced in 2.6.39) NOTE: http://marc.info/?l=linux-kernel&m=142247707318982&w=2 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=161f873b89136eb1e69477c847d5a5033239d9ba (v4.1-rc7) CVE-2015-1405 (SQL injection vulnerability in the Content Rating Extbase extension 2. ...) NOT-FOR-US: typo3 extension CVE-2015-1404 (Cross-site scripting (XSS) vulnerability in the Content Rating Extbase ...) NOT-FOR-US: typo3 extension CVE-2015-1403 (SQL injection vulnerability in the Content Rating extension 1.0.3 and ...) NOT-FOR-US: typo3 extension CVE-2015-1402 (Cross-site scripting (XSS) vulnerability in the Content Rating extensi ...) NOT-FOR-US: typo3 extension CVE-2015-1401 (Improper Authentication vulnerability in the "LDAP / SSO Authenticatio ...) NOT-FOR-US: typo3 extension CVE-2015-1554 (kgb-bot 1.33-2 allows remote attackers to cause a denial of service (c ...) - kgb-bot (low; bug #776424) NOTE: 20190201: random crash still not reproducible CVE-2015-1369 (SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js ...) NOT-FOR-US: sequelize CVE-2015-1354 RESERVED CVE-2015-1349 (named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x befor ...) {DSA-3162-1 DLA-163-1} - bind9 1:9.9.5.dfsg-9 (low; bug #778733) CVE-2015-1348 (Heap-based buffer overflow in Aruba Instant (IAP) with firmware before ...) NOT-FOR-US: Aruba Instant CVE-2015-1347 (Cross-site scripting (XSS) vulnerability in client.inc.php in osTicket ...) NOT-FOR-US: osTicket CVE-2015-1344 (The do_write_pids function in lxcfs.c in LXCFS before 0.12 does not pr ...) - lxcfs (Fixed before initial upload to the archive) NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1512854 CVE-2015-1343 (All versions of unity-scope-gdrive logs search terms to syslog. ...) NOT-FOR-US: unity-scope-gdrive CVE-2015-1342 (LXCFS before 0.12 does not properly enforce directory escapes, which m ...) - lxcfs (Fixed before initial upload to the archive) NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1508481 CVE-2015-1341 (Any Python module in sys.path can be imported if the command line of t ...) NOT-FOR-US: Apport CVE-2015-1340 (LXD before version 0.19-0ubuntu5 doUidshiftIntoContainer() has an unsa ...) - lxd (bug #768073) CVE-2015-1339 (Memory leak in the cuse_channel_release function in fs/fuse/cuse.c in ...) - linux 4.4.2-1 [jessie] - linux (Vulnerable code introduced in v4.2-rc1) [wheezy] - linux (Vulnerable code introduced in v4.2-rc1) NOTE: Introduced in: https://git.kernel.org/linus/cc080e9e9be16ccf26135d366d7d2b65209f1d56 (v4.2-rc1) NOTE: Fixed in: https://git.kernel.org/linus/2c5816b4beccc8ba709144539f6fdd764f8fa49c (v4.4-rc5) CVE-2015-1338 (kernel_crashdump in Apport before 2.19 allows local users to cause a d ...) NOT-FOR-US: Apport CVE-2015-1337 (Simple Streams (simplestreams) does not properly verify the GPG signat ...) NOT-FOR-US: simplestreams CVE-2015-1336 (The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in ...) - man-db 2.7.6-1 (bug #840357) [jessie] - man-db (Minor issue) [wheezy] - man-db (Minor issue) [squeeze] - man-db (Not exploitable in practice) NOTE: http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ NOTE: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1482786 CVE-2015-1335 (lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local cont ...) {DSA-3400-1 DLA-442-1} - lxc 1:1.0.8-1 (bug #800471) [wheezy] - lxc (Minor issue) NOTE: https://launchpad.net/bugs/1476662 NOTE: https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be NOTE: https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-September/012434.html CVE-2015-1334 (attach.c in LXC 1.1.2 and earlier uses the proc filesystem in a contai ...) {DSA-3317-1} - lxc 1:1.0.7-4 (bug #793298) [wheezy] - lxc (Affects 0.9.0 and higher) [squeeze] - lxc (Affects 0.9.0 and higher) CVE-2015-1333 (Memory leak in the __key_link_end function in security/keys/keyring.c ...) - linux 4.1.3-1 [jessie] - linux 3.16.7-ckt11-1+deb8u3 [wheezy] - linux (Introduced in 3.13) - linux-2.6 (Introduced in 3.13) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=034faeb9ef390d58239e1dce748143f6b35a0d9b (v3.13-rc1) CVE-2015-1332 (The oxide::JavaScriptDialogManager function in oxide-qt before 1.9.1 a ...) NOT-FOR-US: oxide-qt NOTE: The JavaScriptDialogManager exists as well for chromium-browser, but this NOTE: CVE seem specific assigned for an issue in oxide::JavaScriptDialogManager CVE-2015-1331 (lxclock.c in LXC 1.1.2 and earlier allows local users to create arbitr ...) {DSA-3317-1} - lxc 1:1.0.7-4 (bug #793298) [wheezy] - lxc (Affects 1.0.0 and higher) [squeeze] - lxc (Affects 1.0.0 and higher) CVE-2015-1330 (unattended-upgrades before 0.86.1 does not properly authenticate packa ...) {DSA-3297-1 DLA-267-1} - unattended-upgrades 0.86.1 CVE-2015-1329 (Use-after-free vulnerability in oxide::qt::URLRequestDelegatedJob in o ...) NOT-FOR-US: Oxide-QT CVE-2015-1328 (The overlayfs implementation in the linux (aka Linux kernel) package b ...) - linux (Ubuntu-specific flaw, overlayfs mounts restricted to privileged users in Debian) - linux-2.6 (Ubuntu-specific flaw, overlayfs mounts restricted to privileged users in Debian) NOTE: http://seclists.org/oss-sec/2015/q2/717 NOTE: https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html NOTE: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549 CVE-2015-1327 (Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS API only ...) NOT-FOR-US: Content Hub CVE-2015-1326 (python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call ...) - python-dbusmock 0.15.1-1 (bug #786858) [jessie] - python-dbusmock 0.11.4-1+deb8u1 NOTE: https://bugs.launchpad.net/python-dbusmock/+bug/1453815 CVE-2015-1325 (Race condition in Apport before 2.17.2-0ubuntu1.1 as packaged in Ubunt ...) NOT-FOR-US: Apport CVE-2015-1324 (Apport before 2.17.2-0ubuntu1.1 as packaged in Ubuntu 15.04, before 2. ...) NOT-FOR-US: Apport CVE-2015-1323 (The simulate dbus method in aptdaemon before 1.1.1+bzr982-0ubuntu3.1 a ...) {DLA-261-1} - aptdaemon 1.1.1+bzr982-1 (bug #789162) [jessie] - aptdaemon 1.1.1-4+deb8u1 [wheezy] - aptdaemon 0.45-2+deb7u1 NOTE: https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1449587 CVE-2015-1322 (Directory traversal vulnerability in the Ubuntu network-manager packag ...) - network-manager (Ubuntu specific patch) NOTE: http://www.ubuntu.com/usn/usn-2581-1 NOTE: https://bazaar.launchpad.net/~phablet-team/network-manager/ofono-format-cleanup/view/head:/debian/patches/add_ofono_settings_support.patch CVE-2015-1321 (Use-after-free vulnerability in the file picker implementation in Oxid ...) NOT-FOR-US: Oxide CVE-2015-1320 (The SeaMicro provisioning of Ubuntu MAAS logs credentials, including u ...) NOT-FOR-US: Ubuntu MAAS CVE-2015-1319 (The Unity Settings Daemon before 14.04.0+14.04.20150825-0ubuntu2 and 1 ...) - unity (bug #609278) CVE-2015-1318 (The crash reporting feature in Apport 2.13 through 2.17.x before 2.17. ...) NOT-FOR-US: Apport CVE-2015-1317 (Use-after-free vulnerability in Oxide before 1.5.6 and 1.6.x before 1. ...) NOT-FOR-US: Oxide CVE-2015-1316 (Juju Core's Joyent provider before version 1.25.5 uploads the user's p ...) - juju CVE-2015-1315 (Buffer overflow in the charset_to_intern function in unix/unix.c in In ...) - unzip (*-unzip60-alt-iconv-utf8 patch not applied in Debian) CVE-2015-1314 (The USAA Mobile Banking application before 7.10.1 for Android displays ...) NOT-FOR-US: USAA Mobile Banking application for Android CVE-2015-1313 RESERVED CVE-2015-1312 (The Dealer Portal in SAP ERP does not properly restrict access, which ...) NOT-FOR-US: SAP CVE-2015-1311 (The Extended Application Services (XS) in SAP HANA allows remote attac ...) NOT-FOR-US: SAP CVE-2015-1310 (SQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ...) NOT-FOR-US: SAP CVE-2015-1309 (XML external entity vulnerability in the Extended Computer Aided Test ...) NOT-FOR-US: SAP CVE-2015-1305 (McAfee Data Loss Prevention Endpoint (DLPe) before 9.3.400 allows loca ...) NOT-FOR-US: McAfee Data Loss Prevention Endpoint CVE-2015-1386 (Directory traversal vulnerability in unshield 1.0-1. ...) - unshield 1.4-1 (low; bug #776193) [jessie] - unshield (Minor issue) [wheezy] - unshield (Minor issue) [squeeze] - unshield (Minor issue) NOTE: https://github.com/twogood/unshield/issues/42 CVE-2015-1382 (parsers.c in Privoxy before 3.0.23 allows remote attackers to cause a ...) {DSA-3145-1 DLA-142-1} - privoxy 3.0.21-7 (bug #776490) NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/parsers.c?r1=1.297&r2=1.298 CVE-2015-1381 (Multiple unspecified vulnerabilities in pcrs.c in Privoxy before 3.0.2 ...) {DSA-3145-1 DLA-142-1} - privoxy 3.0.21-7 (bug #776490) NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/pcrs.c?r1=1.46&r2=1.47 CVE-2015-1380 (jcc.c in Privoxy before 3.0.23 allows remote attackers to cause a deni ...) - privoxy 3.0.21-7 (bug #776490) [wheezy] - privoxy (Vulnerable code introduced in 3.0.20) [squeeze] - privoxy (Vulnerable code introduced in 3.0.20) NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/jcc.c?r1=1.433&r2=1.434 CVE-2015-1379 (The signal handler implementations in socat before 1.7.3.0 and 2.0.0-b ...) - socat 1.7.2.4-2 (bug #776234) [wheezy] - socat (Minor issue) [squeeze] - socat (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/01/24/6 NOTE: Upstream advisory: http://www.dest-unreach.org/socat/contrib/socat-secadv6.txt CVE-2015-1378 (cmdlineopts.clp in grml-debootstrap in Debian 0.54, 0.68.x before 0.68 ...) - grml-debootstrap 0.68.1 (low; bug #776502) [wheezy] - grml-debootstrap (Minor issue) NOTE: https://github.com/grml/grml-debootstrap/issues/59 CVE-2015-1377 (The Read Mail module in Webmin 1.720 allows local users to read arbitr ...) - webmin CVE-2015-1395 (Directory traversal vulnerability in GNU patch versions which support ...) - patch 2.7.3-1 (bug #775873) [wheezy] - patch (Support for git-style patches added in 2.7) [squeeze] - patch (Support for git-style patches added in 2.7) NOTE: Upstream report: https://savannah.gnu.org/bugs/?44059 NOTE: https://www.openwall.com/lists/oss-security/2015/01/24/2 CVE-2015-1370 (Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Nod ...) - node-marked 0.3.6+dfsg-1 (unimportant) NOTE: https://nodesecurity.io/advisories/marked_vbscript_injection NOTE: https://github.com/chjj/marked/issues/492 NOTE: libv8 is not covered by security support CVE-2015-1304 (object-observe.js in Google V8, as used in Google Chrome before 45.0.2 ...) {DSA-3376-1} - chromium-browser 45.0.2454.101-1 [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-1303 (bindings/core/v8/V8DOMWrapper.h in Blink, as used in Google Chrome bef ...) {DSA-3376-1} - chromium-browser 45.0.2454.101-1 [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1302 (The PDF viewer in Google Chrome before 46.0.2490.86 does not properly ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.de/2015/11/stable-channel-update.html CVE-2015-1301 (Multiple unspecified vulnerabilities in Google Chrome before 45.0.2454 ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1300 (The FrameFetchContext::updateTimingInfoForIFrameNavigation function in ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1299 (Use-after-free vulnerability in the shared-timer implementation in Bli ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1298 (The RuntimeEventRouter::OnExtensionUninstalled function in extensions/ ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1297 (The WebRequest API implementation in extensions/browser/api/web_reques ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1296 (The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.c ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1295 (Multiple use-after-free vulnerabilities in the PrintWebViewHelper clas ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1294 (Use-after-free vulnerability in the SkMatrix::invertNonIdentity functi ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1293 (The DOM implementation in Blink, as used in Google Chrome before 45.0. ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1292 (The NavigatorServiceWorker::serviceWorker function in modules/servicew ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1291 (The ContainerNode::parserRemoveChild function in core/dom/ContainerNod ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1290 (The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and ...) - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-1289 (Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403 ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1288 (The Spellcheck API implementation in Google Chrome before 44.0.2403.89 ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1287 (Blink, as used in Google Chrome before 44.0.2403.89, enables a quirks- ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1286 (Cross-site scripting (XSS) vulnerability in the V8ContextNativeHandler ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1285 (The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor.c ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1284 (The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1283 (Multiple integer overflows in the XML_GetBuffer function in Expat thro ...) {DSA-3318-1 DSA-3315-1 DLA-281-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - expat 2.1.0-7 (bug #793484) NOTE: Patch: https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c CVE-2015-1282 (Multiple use-after-free vulnerabilities in fpdfsdk/src/javascript/Docu ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1281 (core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1280 (SkPictureShader.cpp in Skia, as used in Google Chrome before 44.0.2403 ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1279 (Integer overflow in the CJBig2_Image::expand function in fxcodec/jbig2 ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1278 (content/browser/web_contents/web_contents_impl.cc in Google Chrome bef ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1277 (Use-after-free vulnerability in the accessibility implementation in Go ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1276 (Use-after-free vulnerability in content/browser/indexed_db/indexed_db_ ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1275 (Cross-site scripting (XSS) vulnerability in org/chromium/chrome/browse ...) - chromium-browser (Android-specific) CVE-2015-1274 (Google Chrome before 44.0.2403.89 does not ensure that the auto-open l ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1273 (Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1272 (Use-after-free vulnerability in the GPU process implementation in Goog ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1271 (PDFium, as used in Google Chrome before 44.0.2403.89, does not properl ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1270 (The ucnv_io_getConverterName function in common/ucnv_io.cpp in Interna ...) {DSA-3360-1 DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - icu 55.1-5 (bug #798647) [wheezy] - icu (code in ucnv_io_getConverterName not present, introduced in 49.x) [squeeze] - icu (code in ucnv_io_getConverterName not present, introduced in 49.x) NOTE: http://bugs.icu-project.org/trac/ticket/11696 NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37486/ CVE-2015-1269 (The DecodeHSTSPreloadRaw function in net/http/transport_security_state ...) {DSA-3315-1} - chromium-browser 43.0.2357.130-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1268 (bindings/scripts/v8_types.py in Blink, as used in Google Chrome before ...) {DSA-3315-1} - chromium-browser 43.0.2357.130-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1267 (Blink, as used in Google Chrome before 43.0.2357.130, does not properl ...) {DSA-3315-1} - chromium-browser 43.0.2357.130-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1266 (content/browser/webui/content_web_ui_controller_factory.cc in Google C ...) {DSA-3315-1} - chromium-browser 43.0.2357.130-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1265 (Multiple unspecified vulnerabilities in Google Chrome before 43.0.2357 ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1264 (Cross-site scripting (XSS) vulnerability in Google Chrome before 43.0. ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1263 (The Spellcheck API implementation in Google Chrome before 43.0.2357.65 ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1262 (platform/fonts/shaping/HarfBuzzShaper.cpp in Blink, as used in Google ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1261 (android/java/src/org/chromium/chrome/browser/WebsiteSettingsPopup.java ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1260 (Multiple use-after-free vulnerabilities in content/renderer/media/user ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1259 (PDFium, as used in Google Chrome before 43.0.2357.65, does not properl ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1258 (Google Chrome before 43.0.2357.65 relies on libvpx code that was not b ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libvpx 1.4.0-4 (unimportant) [wheezy] - libvpx (vp9 code introduced in 1.3.0) [squeeze] - libvpx (vp9 code not present in 0.9.1) NOTE: That's not a vulnerability in libvpx per se NOTE: 1.4.0-4 adds the workaround to configure with --size-limit=16384x16384 NOTE: https://github.com/webmproject/libvpx/commit/943e43273b0a7369d07714e7fd2e19fecfb11c7c CVE-2015-1257 (platform/graphics/filters/FEColorMatrix.cpp in the SVG implementation ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1256 (Use-after-free vulnerability in the SVG implementation in Blink, as us ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1255 (Use-after-free vulnerability in content/renderer/media/webaudio_captur ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1254 (core/dom/Document.cpp in Blink, as used in Google Chrome before 43.0.2 ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1253 (core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1252 (common/partial_circular_buffer.cc in Google Chrome before 43.0.2357.65 ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1251 (Use-after-free vulnerability in the SpeechRecognitionClient implementa ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1250 (Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311 ...) {DSA-3242-1} - chromium-browser 42.0.2311.135-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_28.html CVE-2015-1249 (Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311 ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1248 (The FileSystem API in Google Chrome before 40.0.2214.91 allows remote ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1247 (The SearchEngineTabHelper::OnPageHasOSDD function in browser/ui/search ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1246 (Blink, as used in Google Chrome before 42.0.2311.90, allows remote att ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1245 (Use-after-free vulnerability in the OpenPDFInReaderView::Update functi ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1244 (The URLRequest::GetHSTSRedirect function in url_request/url_request.cc ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1243 (Use-after-free vulnerability in the MutationObserver::disconnect funct ...) {DSA-3242-1} - chromium-browser 42.0.2311.135-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_28.html CVE-2015-1242 (The ReduceTransitionElementsKind function in hydrogen-check-eliminatio ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1241 (Google Chrome before 42.0.2311.90 does not properly consider the inter ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1240 (gpu/blink/webgraphicscontext3d_impl.cc in the WebGL implementation in ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1239 (Double free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG ...) {DLA-1433-1} - openjpeg2 2.1.1-1 NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=430891 NOTE: https://github.com/uclouvain/openjpeg/issues/477 NOTE: The issue must have been fixed in one of the commits before or with NOTE: https://github.com/uclouvain/openjpeg/commit/2d24b6000d5611615e3e6d799e20d5fdbe4e2a1e NOTE: which corresponds to the r2997 commit as mentioned in the merge which NOTE: fixed the issue on Google/PDFium's side. CVE-2015-1238 (Skia, as used in Google Chrome before 42.0.2311.90, allows remote atta ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1237 (Use-after-free vulnerability in the RenderFrameImpl::OnMessageReceived ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1236 (The MediaElementAudioSourceNode::process function in modules/webaudio/ ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1235 (The ContainerNode::parserRemoveChild function in core/dom/ContainerNod ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1234 (Race condition in gpu/command_buffer/service/gles2_cmd_decoder.cc in G ...) - chromium-browser 41.0.2272.118-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1233 (Google Chrome before 41.0.2272.118 does not properly handle the intera ...) - chromium-browser 41.0.2272.118-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1232 (Array index error in the MidiManagerUsb::DispatchSendMidiData function ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1231 (Multiple unspecified vulnerabilities in Google Chrome before 41.0.2272 ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1230 (The getHiddenProperty function in bindings/core/v8/V8EventListenerList ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-1229 (net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 d ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1228 (The RenderCounter::updateCounter function in core/rendering/RenderCoun ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1227 (The DragImage::create function in platform/DragImage.cpp in Blink, as ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1226 (The DebuggerFunction::InitAgentHost function in browser/extensions/api ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1225 (PDFium, as used in Google Chrome before 41.0.2272.76, allows remote at ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1224 (The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_dec ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1223 (Multiple use-after-free vulnerabilities in core/html/HTMLInputElement. ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1222 (Multiple use-after-free vulnerabilities in the ServiceWorkerScriptCach ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1221 (Use-after-free vulnerability in Blink, as used in Google Chrome before ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1220 (Use-after-free vulnerability in the GIFImageReader::parseData function ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1219 (Integer overflow in the SkMallocPixelRef::NewAllocate function in core ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1218 (Multiple use-after-free vulnerabilities in the DOM implementation in B ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1217 (The V8LazyEventListener::prepareListenerObject function in bindings/co ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1216 (Use-after-free vulnerability in the V8Window::namedPropertyGetterCusto ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1215 (The filters implementation in Skia, as used in Google Chrome before 41 ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1214 (Integer overflow in the SkAutoSTArray implementation in include/core/S ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1213 (The SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filte ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1212 (Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214 ...) - chromium-browser 40.0.2214.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1211 (The OriginCanAccessServiceWorkers function in content/browser/service_ ...) - chromium-browser 40.0.2214.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1210 (The V8ThrowException::createDOMException function in bindings/core/v8/ ...) - chromium-browser 40.0.2214.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1209 (Use-after-free vulnerability in the VisibleSelection::nonBoundaryShado ...) - chromium-browser 40.0.2214.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1208 (Integer underflow in the mov_read_default function in libavformat/mov. ...) - ffmpeg 7:2.5.3-1 NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=3ebd76a9c57558e284e94da367dd23b435e6a6d0 CVE-2015-1207 (Double-free vulnerability in libavformat/mov.c in FFMPEG in Google Chr ...) {DLA-1654-1} - ffmpeg 7:2.6.1-1 - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=3859868c75313e318ebc5d0d33baada62d45dd75 CVE-2015-1206 (Heap-based buffer overflow in Google Chrome before M40 allows remote a ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser CVE-2015-1204 (Cross-site scripting (XSS) vulnerability in the Save Filters functiona ...) NOT-FOR-US: Save Filters functionality in the WP Slimstat plugin for WordPress CVE-2015-1190 RESERVED CVE-2015-1189 RESERVED CVE-2015-1188 (The certificate verification functions in the HNDS service in Swisscom ...) NOT-FOR-US: Swisscom Centro Grande DSL router CVE-2015-1187 (The ping tool in multiple D-Link and TRENDnet devices allow remote att ...) NOT-FOR-US: D-Link CVE-2015-1186 RESERVED CVE-2015-1185 RESERVED CVE-2015-1184 RESERVED CVE-2015-1183 RESERVED CVE-2015-1181 RESERVED CVE-2015-1180 (Cross-site scripting (XSS) vulnerability in the Web Reports in EventSe ...) NOT-FOR-US: EventSentry CVE-2015-1179 (Multiple cross-site scripting (XSS) vulnerabilities in data_point_deta ...) NOT-FOR-US: Mango Automation CVE-2015-1178 (Multiple cross-site scripting (XSS) vulnerabilities in cart.php in X-C ...) NOT-FOR-US: X-Cart CVE-2015-1177 (Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.2. ...) NOT-FOR-US: Exponent CMS CVE-2015-1176 (Cross-site scripting (XSS) vulnerability in upload/scp/tickets.php in ...) NOT-FOR-US: osTicket CVE-2015-1174 (Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA ...) NOT-FOR-US: Unit4 Polska TETA Web CVE-2015-1173 (Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 does not pro ...) NOT-FOR-US: Unit4 Polska TETA Web CVE-2015-1172 (Unrestricted file upload vulnerability in admin/upload-file.php in the ...) NOT-FOR-US: WordPress theme holding_pattern CVE-2015-1171 (Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6 ...) NOT-FOR-US: SIM Card Editor CVE-2015-1170 (The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 ...) NOT-FOR-US: NVIDIA Windows driver CVE-2015-1169 (Apereo Central Authentication Service (CAS) Server before 3.5.3 allows ...) NOT-FOR-US: Apereo Central Authentication Service CVE-2015-1168 RESERVED CVE-2015-1167 RESERVED CVE-2015-1166 RESERVED CVE-2015-1165 (RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x bef ...) {DSA-3176-1 DLA-158-1} - request-tracker4 4.2.8-3 - request-tracker3.8 CVE-2015-1163 RESERVED CVE-2015-1162 RESERVED CVE-2015-1161 RESERVED CVE-2015-1396 (A Directory Traversal vulnerability exists in the GNU patch before 2.7 ...) - patch 2.7.3-1 (bug #775901) [wheezy] - patch (Not affected by CVE-2015-1196 and no incomplete fix applied) [squeeze] - patch (Not affected by CVE-2015-1196 and no incomplete fix applied) NOTE: https://www.openwall.com/lists/oss-security/2015/01/24/3 CVE-2015-1353 REJECTED CVE-2015-4471 (Off-by-one error in the lzxd_decompress function in lzxd.c in libmspac ...) - libmspack 0.5-1 (bug #775499) NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4470 (Off-by-one error in the inflate function in mszipd.c in libmspack befo ...) - libmspack 0.5-1 (bug #775498) NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4472 (Off-by-one error in the READ_ENCINT macro in chmd.c in libmspack befor ...) - libmspack 0.5-1 (bug #775687) NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-1591 (The kamailio build in kamailio before 4.2.0-2 process allows local use ...) - kamailio 4.2.0-2 (bug #775681) NOTE: https://github.com/kamailio/kamailio/issues/48 CVE-2015-1590 (The kamcmd administrative utility and default configuration in kamaili ...) - kamailio 4.2.0-2 (bug #775681) NOTE: https://github.com/kamailio/kamailio/issues/48 CVE-2015-XXXX [insecure configuration permissions] - phabricator 0~git20150129-1 (bug #775479) CVE-2015-XXXX [race condition between fur and fex_cleanup may create internal instead of external user] - fex 20150120-1 (low; bug #773751) [squeeze] - fex (Minor issue as it does not affect default setups) CVE-2015-XXXX [information leak in event device handling] - linux 3.16.7-ckt7-1 [wheezy] - linux (Introduced in 3.11) - linux-2.6 (Introduced in 3.11) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7c4f56070fde2367766fa1fb04852599b5e1ad35 (v3.18-rc1) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=483180281f0ac60d1138710eb21f4b9961901294 (v3.11-rc1) NOTE: CVE Request: http://article.gmane.org/gmane.comp.security.oss.general/15457 CVE-2015-1346 (Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15, a ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2015-1345 (The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows ...) - grep 2.20-4.1 (low; bug #776039) [squeeze] - grep (Issue introduced with v2.18-90-g73893ff) [wheezy] - grep (Issue introduced with v2.18-90-g73893ff) NOTE: http://bugs.gnu.org/19563 NOTE: Upstream fix: http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2 CVE-2015-1182 (The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1 ...) {DSA-3136-1 DLA-144-1} - polarssl 1.3.9-2.1 (bug #775776) NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04 CVE-2015-1175 (Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in t ...) NOT-FOR-US: PrestaShop CVE-2015-1160 RESERVED CVE-2015-1159 (Cross-site scripting (XSS) vulnerability in the cgi_puts function in c ...) {DSA-3283-1 DLA-239-1} - cups 1.7.5-12 CVE-2015-1158 (The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 ...) {DSA-3283-1 DLA-239-1} - cups 1.7.5-12 CVE-2015-1157 (CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause ...) NOT-FOR-US: Apple iOS CVE-2015-1156 (The page-loading implementation in WebKit, as used in Apple Safari bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1155 (The history implementation in WebKit, as used in Apple Safari before 6 ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1154 (WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1153 (WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1152 (WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1151 (Wiki Server in Apple OS X Server before 4.1 allows remote attackers to ...) NOT-FOR-US: Apple CVE-2015-1150 (The Firewall component in Apple OS X Server before 4.1 uses an incorre ...) NOT-FOR-US: Apple CVE-2015-1149 (Integer overflow in the simulator in Swift in Apple Xcode before 6.3 a ...) NOT-FOR-US: Apple Xcode CVE-2015-1148 (Screen Sharing in Apple OS X before 10.10.3 stores the password of a u ...) NOT-FOR-US: Apple CVE-2015-1147 (Open Directory Client in Apple OS X before 10.10.3 sends unencrypted p ...) NOT-FOR-US: Apple CVE-2015-1146 (The Code Signing implementation in Apple OS X before 10.10.3 does not ...) NOT-FOR-US: Apple CVE-2015-1145 (The Code Signing implementation in Apple OS X before 10.10.3 does not ...) NOT-FOR-US: Apple CVE-2015-1144 (Buffer overflow in the UniformTypeIdentifiers component in Apple OS X ...) NOT-FOR-US: Apple CVE-2015-1143 (LaunchServices in Apple OS X before 10.10.3 allows local users to gain ...) NOT-FOR-US: Apple CVE-2015-1142 (LaunchServices in Apple OS X before 10.10.3 allows local users to caus ...) NOT-FOR-US: Apple CVE-2015-1141 (The mach_vm_read functionality in the kernel in Apple OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-1140 (Buffer overflow in IOHIDFamily in Apple OS X before 10.10.3 allows loc ...) NOT-FOR-US: Apple CVE-2015-1139 (ImageIO in Apple OS X before 10.10.3 allows remote attackers to execut ...) NOT-FOR-US: Apple CVE-2015-1138 (Hypervisor in Apple OS X before 10.10.3 allows local users to cause a ...) NOT-FOR-US: Apple CVE-2015-1137 (The NVIDIA graphics driver in Apple OS X before 10.10.3 allows local u ...) NOT-FOR-US: Apple CVE-2015-1136 (Use-after-free vulnerability in CoreAnimation in Apple OS X before 10. ...) NOT-FOR-US: Apple CVE-2015-1135 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1134 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1133 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1132 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1131 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1130 (The XPC implementation in Admin Framework in Apple OS X before 10.10.3 ...) NOT-FOR-US: Apple CVE-2015-1129 (Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 does ...) NOT-FOR-US: Apple Safari CVE-2015-1128 (The private-browsing implementation in Apple Safari before 6.2.5, 7.x ...) NOT-FOR-US: Apple Safari CVE-2015-1127 (The private-browsing implementation in WebKit in Apple Safari before 6 ...) NOT-FOR-US: Apple Safari CVE-2015-1126 (WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1125 (The touch-events implementation in WebKit in Apple iOS before 8.3 allo ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1124 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1123 (WebKit, as used in Apple iOS before 8.3 and Apple TV before 7.2, allow ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1122 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1121 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1120 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1119 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1118 (libnetcore in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: Apple CVE-2015-1117 (The (1) setreuid and (2) setregid system-call implementations in the k ...) NOT-FOR-US: iOS CVE-2015-1116 (The UIKit View component in Apple iOS before 8.3 displays unblurred ap ...) NOT-FOR-US: iOS CVE-2015-1115 (The Telephony component in Apple iOS before 8.3 allows attackers to by ...) NOT-FOR-US: iOS CVE-2015-1114 (The Sandbox Profiles component in Apple iOS before 8.3 and Apple TV be ...) NOT-FOR-US: iOS CVE-2015-1113 (The Sandbox Profiles component in Apple iOS before 8.3 allows attacker ...) NOT-FOR-US: iOS CVE-2015-1112 (Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, as ...) NOT-FOR-US: iOS CVE-2015-1111 (Safari in Apple iOS before 8.3 does not delete Recently Closed Tabs da ...) NOT-FOR-US: iOS CVE-2015-1110 (The Podcasts component in Apple iOS before 8.3 and Apple TV before 7.2 ...) NOT-FOR-US: iOS CVE-2015-1109 (NetworkExtension in Apple iOS before 8.3 stores credentials in VPN con ...) NOT-FOR-US: iOS CVE-2015-1108 (The Lock Screen component in Apple iOS before 8.3 does not properly en ...) NOT-FOR-US: iOS CVE-2015-1107 (The Lock Screen component in Apple iOS before 8.3 does not properly im ...) NOT-FOR-US: iOS CVE-2015-1106 (The QuickType feature in the Keyboards subsystem in Apple iOS before 8 ...) NOT-FOR-US: iOS CVE-2015-1105 (The TCP implementation in the kernel in Apple iOS before 8.3, Apple OS ...) NOT-FOR-US: iOS CVE-2015-1104 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1103 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1102 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1101 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1100 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1099 (Race condition in the setreuid system-call implementation in the kerne ...) NOT-FOR-US: iOS CVE-2015-1098 (iWork in Apple iOS before 8.3 and Apple OS X before 10.10.3 allows rem ...) NOT-FOR-US: iOS CVE-2015-1097 (IOMobileFramebuffer in Apple iOS before 8.3 and Apple TV before 7.2 al ...) NOT-FOR-US: iOS CVE-2015-1096 (IOHIDFamily in Apple iOS before 8.3, Apple OS X before 10.10.3, and Ap ...) NOT-FOR-US: iOS CVE-2015-1095 (IOHIDFamily in Apple iOS before 8.3, Apple OS X before 10.10.3, and Ap ...) NOT-FOR-US: iOS CVE-2015-1094 (IOAcceleratorFamily in Apple iOS before 8.3 and Apple TV before 7.2 al ...) NOT-FOR-US: iOS CVE-2015-1093 (FontParser in Apple iOS before 8.3 and Apple OS X before 10.10.3 allow ...) NOT-FOR-US: iOS CVE-2015-1092 (NSXMLParser in Foundation in Apple iOS before 8.3 and Apple TV before ...) NOT-FOR-US: iOS CVE-2015-1091 (The CFNetwork Session component in Apple iOS before 8.3 and Apple OS X ...) NOT-FOR-US: iOS CVE-2015-1090 (CFNetwork in Apple iOS before 8.3 does not delete HTTP Strict Transpor ...) NOT-FOR-US: iOS CVE-2015-1089 (CFNetwork in Apple iOS before 8.3 and Apple OS X before 10.10.3 does n ...) NOT-FOR-US: iOS CVE-2015-1088 (CFURL in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not p ...) NOT-FOR-US: iOS CVE-2015-1087 (Directory traversal vulnerability in Backup in Apple iOS before 8.3 al ...) NOT-FOR-US: iOS CVE-2015-1086 (The Audio Drivers subsystem in Apple iOS before 8.3 and Apple TV befor ...) NOT-FOR-US: iOS CVE-2015-1085 (AppleKeyStore in Apple iOS before 8.3 does not properly restrict a cer ...) NOT-FOR-US: iOS CVE-2015-1084 (The user interface in WebKit, as used in Apple Safari before 6.2.4, 7. ...) NOT-FOR-US: Safari CVE-2015-1083 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1082 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1081 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1080 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1079 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1078 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1077 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1076 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1075 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1074 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1073 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1072 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1071 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1070 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1069 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1068 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1067 (Secure Transport in Apple iOS before 8.2, Apple OS X through 10.10.2, ...) NOT-FOR-US: Apple CVE-2015-1066 (Off-by-one error in IOAcceleratorFamily in Apple OS X through 10.10.2 ...) NOT-FOR-US: Apple CVE-2015-1065 (Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 a ...) NOT-FOR-US: Apple CVE-2015-1064 (Springboard in Apple iOS before 8.2 allows physically proximate attack ...) NOT-FOR-US: Apple CVE-2015-1063 (CoreTelephony in Apple iOS before 8.2 allows remote attackers to cause ...) NOT-FOR-US: Apple CVE-2015-1062 (MobileStorageMounter in Apple iOS before 8.2 and Apple TV before 7.1 d ...) NOT-FOR-US: Apple CVE-2015-1061 (IOSurface in Apple iOS before 8.2, Apple OS X through 10.10.2, and App ...) NOT-FOR-US: Apple CVE-2015-1060 (Open redirect vulnerability in lib/Cake/Controller/Controller.php in A ...) NOT-FOR-US: AdaptCMS CVE-2015-1059 (Unrestricted file upload vulnerability in admin/files/add in AdaptCMS ...) NOT-FOR-US: AdaptCMS CVE-2015-1058 (Multiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 ...) NOT-FOR-US: AdaptCMS CVE-2015-1057 (Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2 ...) NOT-FOR-US: e107 CVE-2015-1056 (Cross-site scripting (XSS) vulnerability in Brother MFC-J4410DW printe ...) NOT-FOR-US: Brother printer CVE-2015-1055 (SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for Word ...) NOT-FOR-US: WordPress plugin Photo Gallery CVE-2015-1054 (Cross-site scripting (XSS) vulnerability in the Games feature in Crea8 ...) NOT-FOR-US: Crea8Social CVE-2015-1053 (Cross-site scripting (XSS) vulnerability in the administrative backend ...) NOT-FOR-US: Croogo CVE-2015-1052 (Cross-site scripting (XSS) vulnerability in the poll archive in PHPKIT ...) NOT-FOR-US: PHPKIT CVE-2015-1050 (Cross-site scripting (XSS) vulnerability in F5 BIG-IP Application Secu ...) NOT-FOR-US: F5 BIG-IP Application Security Manager CVE-2015-1049 (The web server on Siemens SCALANCE X-200IRT switches with firmware bef ...) NOT-FOR-US: Siemens SCALANCE CVE-2015-1205 (Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214 ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: See CVE-2014-9654 for the bug in src:icu CVE-2015-1203 REJECTED CVE-2015-1202 REJECTED CVE-2015-1201 (Privoxy before 3.0.22 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Bogus entry for Privoxy picked from Secunia CVE-2015-1308 (kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote a ...) - kde-workspace 4:5.1.95-1 [jessie] - kde-workspace (Minor issue) [wheezy] - kde-workspace (Minor issue) CVE-2015-1307 (plasma-workspace before 5.1.95 allows remote attackers to obtain passw ...) NOT-FOR-US: KDE Plasma 5 desktop, not yet packaged CVE-2015-1306 (The newsletter posting area in the web interface in Sympa 6.0.x before ...) {DSA-3134-1 DLA-148-1} - sympa 6.1.23~dfsg-2 NOTE: https://www.sympa.org/security_advisories#security_breaches_in_newsletter_posting CVE-2015-1051 (Open redirect vulnerability in the Context UI module in the Context mo ...) NOT-FOR-US: Drupal extension drupal7-context CVE-2015-2304 (Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 a ...) {DSA-3180-1 DLA-166-1} - libarchive 3.1.2-11 (bug #778266) NOTE: https://www.openwall.com/lists/oss-security/2015/01/16/7 NOTE: Patch: https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 CVE-2015-1200 (Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for t ...) - pxz 4.999.99~beta3+git659fc9b-3 (bug #775306) CVE-2015-1199 (Directory traversal vulnerability in ppmd 10.1-5. ...) - ppmd (low; bug #775218) [jessie] - ppmd (Minor issue) [wheezy] - ppmd (Minor issue) [squeeze] - ppmd (Minor issue) CVE-2015-1195 (The V2 API in OpenStack Image Registry and Delivery Service (Glance) b ...) - glance 2014.1.3-11 (bug #775926) [wheezy] - glance (Vulnerable code not present) NOTE: up to 2014.1.3 and 2014.2 versions up to 2014.2.1 CVE-2015-1350 (The VFS subsystem in the Linux kernel 3.x provides an incomplete set o ...) {DLA-772-1} - linux 4.8.11-1 (bug #770492) [jessie] - linux 3.16.39-1 - linux-2.6 NOTE: Fixed by: https://git.kernel.org/linus/030b533c4fd4d2ec3402363323de4bb2983c9cee CVE-2015-1164 (Open redirect vulnerability in the serve-static plugin before 1.7.2 fo ...) - node-serve-static 1.6.4-2 (unimportant; bug #775843) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/serve-static-open-redirect NOTE: https://github.com/expressjs/serve-static/issues/26 CVE-2015-1048 (Open redirect vulnerability in the integrated web server on Siemens SI ...) NOT-FOR-US: Siemens CVE-2015-1047 (vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 b ...) NOT-FOR-US: VMware vCenter CVE-2015-1046 REJECTED CVE-2015-1045 REJECTED CVE-2015-1044 (vmware-authd (aka the Authorization process) in VMware Workstation 10. ...) NOT-FOR-US: VMware CVE-2015-1043 (The Host Guest File System (HGFS) in VMware Workstation 10.x before 10 ...) NOT-FOR-US: VMware CVE-2015-1041 (Cross-site scripting (XSS) vulnerability in e107_admin/filemanager.php ...) NOT-FOR-US: e107 CVE-2015-1040 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: BEdita CVE-2015-1039 (Cross-site scripting (XSS) vulnerability in user/login.phtml in ZF-Com ...) NOT-FOR-US: zfcUser CVE-2015-1037 RESERVED CVE-2015-1036 RESERVED CVE-2015-1035 RESERVED CVE-2015-1034 RESERVED CVE-2015-1033 RESERVED CVE-2015-1032 (Cross-site scripting (XSS) vulnerability in Kiwix before 0.9.1, when u ...) - kiwix 2.0.4-1 CVE-2015-1029 (The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x b ...) - puppet-module-puppetlabs-stdlib 4.9.0-1 (bug #775535) [jessie] - puppet-module-puppetlabs-stdlib (The jessie version of facter is recent enough) NOTE: http://puppetlabs.com/security/cve/cve-2015-1029 NOTE: http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/2015-January/009318.html CVE-2015-1028 (Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2730 ...) NOT-FOR-US: D-Link router CVE-2015-1027 (The version checking subroutine in percona-toolkit before 2.2.13 and x ...) - percona-toolkit 2.2.13-1 (unimportant) [wheezy] - percona-toolkit (version-check introduced in 2.1.4) - percona-xtrabackup (unimportant) NOTE: Automatic version check is disabled and inherently insecure (CVE-2014-2029) NOTE: Patch applied to OpenSUSE 13.1: https://build.opensuse.org/package/view_file/openSUSE:13.1:Update/xtrabackup/percona-xtrabackup-CVE-2015-1027.patch?expand=1 CVE-2015-1026 (Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngi ...) NOT-FOR-US: ZOHO ManageEngine CVE-2015-1025 RESERVED CVE-2015-1024 RESERVED CVE-2015-1023 RESERVED CVE-2015-1022 RESERVED CVE-2015-1021 RESERVED CVE-2015-1020 RESERVED CVE-2015-1019 RESERVED CVE-2015-1018 RESERVED CVE-2015-1017 RESERVED CVE-2015-1016 RESERVED CVE-2015-1015 (Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, an ...) NOT-FOR-US: Omron CX-One CVE-2015-1014 (A successful exploit of these vulnerabilities requires the local user ...) NOT-FOR-US: Schneider Electric CVE-2015-1013 (OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure tha ...) NOT-FOR-US: OSIsoft PI AF and OSIsoft PI SQL for AF CVE-2015-1012 (Wireless keys are stored in plain text on version 5 of the Hospira Lif ...) NOT-FOR-US: Hospira CVE-2015-1011 (Hospira LifeCare PCA Infusion System before 7.0 has hardcoded credenti ...) NOT-FOR-US: Hospira LifeCare CVE-2015-1010 (Rockwell Automation RSView32 7.60.00 (aka CPR9 SR4) and earlier does n ...) NOT-FOR-US: Rockwell Automation RSView32 CVE-2015-1009 (Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wond ...) NOT-FOR-US: Schneider Electric CVE-2015-1008 (SQL injection vulnerability in Emerson AMS Device Manager before 13 al ...) NOT-FOR-US: Emerson AMS Device Manager CVE-2015-1007 (A specially crafted configuration file could be used to cause a stack- ...) NOT-FOR-US: Opto 22 PAC CVE-2015-1006 (A vulnerable file in Opto 22 PAC Project Professional versions prior t ...) NOT-FOR-US: Opto CVE-2015-1005 (IniNet embeddedWebServer (aka eWebServer) before 2.02 for Windows CE u ...) NOT-FOR-US: IniNet CVE-2015-1004 REJECTED CVE-2015-1003 (Directory traversal vulnerability in IniNet embeddedWebServer (aka eWe ...) NOT-FOR-US: IniNet CVE-2015-1002 (IniNet embeddedWebServer (aka eWebServer) before 2.02 mishandles URL e ...) NOT-FOR-US: IniNet CVE-2015-1001 (Multiple stack-based buffer overflows in IniNet embeddedWebServer (aka ...) NOT-FOR-US: IniNet CVE-2015-1000 (Stack-based buffer overflow in the OpenForIPCamTest method in the RTSP ...) NOT-FOR-US: SStreamVideo ActiveX control CVE-2015-0999 (Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-0998 (Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-0997 (Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-0996 (Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-0995 (Inductive Automation Ignition 7.7.2 uses MD5 password hashes, which ma ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0994 (Inductive Automation Ignition 7.7.2 allows remote authenticated users ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0993 (Inductive Automation Ignition 7.7.2 does not terminate a session upon ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0992 (Inductive Automation Ignition 7.7.2 stores cleartext OPC Server creden ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0991 (Inductive Automation Ignition 7.7.2 allows remote attackers to obtain ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0990 (Untrusted search path vulnerability in Ecava IntegraXor SCADA Server b ...) NOT-FOR-US: Ecava IntegraXor SCADA Server CVE-2015-0989 (PACTware 4.1 SP3 allows remote attackers to cause a denial of service ...) NOT-FOR-US: PACTware CVE-2015-0988 (Omron CX-One CX-Programmer before 9.6 uses a reversible format for pas ...) NOT-FOR-US: Omron CX-One CVE-2015-0987 (Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, an ...) NOT-FOR-US: Omron CX-One CVE-2015-0986 (Multiple stack-based buffer overflows in Moxa VPort ActiveX SDK Plus b ...) NOT-FOR-US: Moxa VPort ActiveX SDK Plus CVE-2015-0985 (Cross-site request forgery (CSRF) vulnerability in XZERES 442SR OS on ...) NOT-FOR-US: XZERES 442SR (wind turbine) CVE-2015-0984 (Directory traversal vulnerability in the FTP server on Honeywell Excel ...) NOT-FOR-US: Honeywell Excel Web CVE-2015-0983 REJECTED CVE-2015-0982 (Buffer overflow in an unspecified DLL in Schneider Electric Pelco DS-N ...) NOT-FOR-US: Schneider Electric CVE-2015-0981 (The SOAP web interface in SCADA Engine BACnet OPC Server before 2.1.37 ...) NOT-FOR-US: SCADA Engine BACnet CVE-2015-0980 (Format string vulnerability in BACnOPCServer.exe in the SOAP web inter ...) NOT-FOR-US: SCADA Engine BACnet CVE-2015-0979 (Heap-based buffer overflow in the SOAP web interface in SCADA Engine B ...) NOT-FOR-US: SCADA Engine BACnet CVE-2015-0978 (Multiple untrusted search path vulnerabilities in (1) EQATEC.Analytics ...) NOT-FOR-US: Elipse E3 CVE-2015-0977 (Network Vision IntraVue before 2.3.0a14 on Windows allows remote attac ...) NOT-FOR-US: IntraVue CVE-2015-0976 (Cross-site scripting (XSS) vulnerability in Inductive Automation Ignit ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0975 RESERVED CVE-2015-0974 (Untrusted search path vulnerability in ZTE Datacard MF19 0V1.0.0B04 al ...) NOT-FOR-US: ZTE Datacard MF19 CVE-2015-0972 (Pearson ProctorCache before 2015.1.17 uses the same hardcoded password ...) NOT-FOR-US: Pearson ProctorCache CVE-2015-0971 (The DER parser in Suricata before 2.0.8 allows remote attackers to cau ...) {DSA-3254-1} - suricata 2.0.8-1 [wheezy] - suricata (ASN.1 parser for X509 certificates in DER format introduced in 1.3) [squeeze] - suricata (ASN.1 parser for X509 certificates in DER format introduced in 1.3) NOTE: http://suricata-ids.org/2015/05/06/suricata-2-0-8-available/ NOTE: Patch: https://github.com/inliniac/suricata/commit/fa73a0bb8f312fd0a95cc70f6b3ee4e4997bdba7 CVE-2015-0970 (Cross-site request forgery (CSRF) vulnerability in SearchBlox before 8 ...) NOT-FOR-US: SearchBlox CVE-2015-0969 (SearchBlox before 8.2 allows remote attackers to obtain sensitive info ...) NOT-FOR-US: SearchBlox CVE-2015-0968 (Unrestricted file upload vulnerability in admin/uploadImage.html in Se ...) NOT-FOR-US: SearchBlox CVE-2015-0967 (Multiple cross-site scripting (XSS) vulnerabilities in SearchBlox befo ...) NOT-FOR-US: SearchBlox CVE-2015-0966 RESERVED CVE-2015-0965 RESERVED CVE-2015-0964 RESERVED CVE-2015-0963 RESERVED CVE-2015-0962 (Barracuda Web Filter 7.x and 8.x before 8.1.0.005, when SSL Inspection ...) NOT-FOR-US: Barracuda Web Filter CVE-2015-0961 (Barracuda Web Filter before 8.1.0.005, when SSL Inspection is enabled, ...) NOT-FOR-US: Barracuda Web Filter CVE-2015-0960 RESERVED CVE-2015-0959 RESERVED CVE-2015-0958 RESERVED CVE-2015-0957 RESERVED CVE-2015-0956 RESERVED CVE-2015-0955 REJECTED CVE-2015-0954 RESERVED CVE-2015-0953 RESERVED CVE-2015-0952 RESERVED CVE-2015-0951 (X-Cart before 5.1.11 allows remote authenticated users to read or dele ...) NOT-FOR-US: X-Cart CVE-2015-0950 (Cross-site scripting (XSS) vulnerability in admin.php in X-Cart 5.1.6 ...) NOT-FOR-US: X-Cart CVE-2015-0949 (The System Management Mode (SMM) implementation in Dell Latitude E6430 ...) NOT-FOR-US: System Management Mode (SMM) implementation in various BIOS implementations CVE-2015-0948 RESERVED CVE-2015-0947 RESERVED CVE-2015-0946 RESERVED CVE-2015-0945 RESERVED CVE-2015-0944 RESERVED CVE-2015-0943 (Basware Banking (Maksuliikenne) before 9.10.0.0 does not encrypt commu ...) NOT-FOR-US: Basware Banking CVE-2015-0942 REJECTED CVE-2015-0941 (The Inetc plugin for Nullsoft Scriptable Install System (NSIS), as use ...) NOT-FOR-US: Nullsoft Scriptable Install System plugin Inetc CVE-2015-0940 RESERVED CVE-2015-0939 RESERVED CVE-2015-0938 (search.php on the Blue Coat Malware Analysis appliance with software b ...) NOT-FOR-US: Blue Coat CVE-2015-0937 (Cross-site scripting (XSS) vulnerability in search.php on the Blue Coa ...) NOT-FOR-US: Blue Coat CVE-2015-0936 (Ceragon FibeAir IP-10 have a default SSH public key in the authorized_ ...) NOT-FOR-US: Ceragon FibeAir IP-10 CVE-2015-0935 (Bomgar Remote Support before 15.1.1 allows remote attackers to execute ...) NOT-FOR-US: Bomgar Remote Support CVE-2015-0934 (Common LaTeX Service Interface (CLSI) before 0.1.3, as used in ShareLa ...) NOT-FOR-US: ShareLaTeX CVE-2015-0933 (Absolute path traversal vulnerability in ShareLaTeX 0.1.3 and earlier, ...) NOT-FOR-US: ShareLaTeX CVE-2015-0932 (The ANTlabs InnGate firmware on IG 3100, IG 3101, InnGate 3.00 E, InnG ...) NOT-FOR-US: ANTlabs InnGate CVE-2015-0931 (Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9 ...) NOT-FOR-US: Ektron CMS CVE-2015-0930 (The web interface on SerVision HVG Video Gateway devices with firmware ...) NOT-FOR-US: SerVision HVG Video Gateway CVE-2015-0929 (time.htm in the web interface on SerVision HVG Video Gateway devices w ...) NOT-FOR-US: SerVision HVG Video Gateway CVE-2015-0928 (libhtp 0.5.15 allows remote attackers to cause a denial of service (NU ...) - suricata 2.0.7-1 [wheezy] - suricata (Unusable in wheezy, planned for removal) [squeeze] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/1385 NOTE: Commit: https://github.com/inliniac/suricata/commit/56196ace51395fcb2d8fc30d586e9ad782306d31 CVE-2015-0927 RESERVED CVE-2015-0926 (Labtech before 100.237 on Linux uses world-writable permissions for ro ...) NOT-FOR-US: Labtech CVE-2015-0925 (The client in iPass Open Mobile before 2.4.5 on Windows allows remote ...) NOT-FOR-US: iPass Open Mobile CVE-2015-0924 (Ceragon FibeAir IP-10 bridges have a default password for the root acc ...) NOT-FOR-US: Ceragon FiberAir IP-10 bridges CVE-2015-0923 (The ContentBlockEx method in Workarea/ServerControlWS.asmx in Ektron C ...) NOT-FOR-US: Ektron CMS CVE-2015-XXXX [smime_keys: insecure use of /tmp] - mutt 1.5.24-1 (unimportant; bug #775199) NOTE: http://dev.mutt.org/hg/mutt/rev/babc30377614 NOTE: Rendered non-exploitable by Linux hardening since wheezy CVE-2015-XXXX [djvudigital: insecure use of /tmp] - djvulibre 3.5.27.1-3 (unimportant; bug #775193) [squeeze] - djvulibre (Minor issue) NOTE: Originally was addressed in 3.5.27.1-1 but it was reintroduced NOTE: with the 3.5.27.1-2 upload, cf. https://bugs.debian.org/775193#17 NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-5701 (mktexlsr revision 36855, and before revision 36626 as packaged in texl ...) - texlive-bin (Vulnerable code not reintroduced, patch mktexlsr-use-mktemp still applied) NOTE: https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=36626&r2=36855 CVE-2015-5700 (mktexlsr revision 22855 through revision 36625 as packaged in texlive ...) - texlive-bin 2014.20140926.35254-5 (bug #775139) [wheezy] - texlive-bin (Minor issue) [squeeze] - texlive-bin (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/04/23/22 NOTE: https://www.openwall.com/lists/oss-security/2015/07/28/5 NOTE: https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885 CVE-2015-1196 (GNU patch 2.7.1 allows remote attackers to write to arbitrary files vi ...) - patch 2.7.1-7 (bug #775227) [wheezy] - patch (Support for git-style patches added in 2.7) [squeeze] - patch (Support for git-style patches added in 2.7) CVE-2015-1194 (pax 1:20140703 allows remote attackers to write to arbitrary files via ...) - pax 1:20160306-1 (low; bug #774716) [jessie] - pax (Minor issue) [squeeze] - pax (Minor issue) [wheezy] - pax (Minor issue) CVE-2015-1193 (Multiple directory traversal vulnerabilities in pax 1:20140703 allow r ...) - pax 1:20160306-1 (low; bug #774716) [jessie] - pax (Minor issue) [squeeze] - pax (Minor issue) [wheezy] - pax (Minor issue) CVE-2015-1192 (Absolute path traversal vulnerability in kgb 1.0b4 allows remote attac ...) - kgb 1.0b4+ds-14 (bug #774989) [jessie] - kgb (meant to be used as a local archiver) [wheezy] - kgb (meant to be used as a local archiver) [squeeze] - kgb (meant to be used as a local archiver) CVE-2015-1191 (Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remot ...) - pigz 2.3.1-2 (bug #774978) [squeeze] - pigz (Minor issue) [wheezy] - pigz (Minor issue) NOTE: https://github.com/madler/pigz/commit/fdad1406b3ec809f4954ff7cdf9e99eb18c2458f CVE-2015-0973 (Buffer overflow in the png_read_IDAT_data function in pngrutil.c in li ...) - libpng (Affects 1.5.x and 1.6.x series) - libpng1.6 1.6.16-1 (bug #773823) - iceweasel (squeeze used the system libpng, and later versions define their own limits) - icedove (squeeze used the system libpng, and later versions define their own limits) - texlive-bin 2014.20140926.35254-6 (bug #775673) [squeeze] - texlive-bin (has a copy of libpng 1.2) [wheezy] - texlive-bin (uses system libpng) NOTE: http://tfpwn.com/files/libpng_heap_overflow_1.6.15.txt NOTE: http://mid.gmane.org/Pine.LNX.4.64.1501101510150.31425@beijing.mitre.org CVE-2015-0922 (McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 us ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2015-0921 (XML external entity (XXE) vulnerability in the Server Task Log in McAf ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2015-2063 (Integer overflow in unace 1.2b allows remote attackers to cause a deni ...) {DSA-3178-1 DLA-164-1} - unace 1.2b-12 (bug #775003) NOTE: http://git.hadrons.org/?p=debian/pkgs/unace.git;a=commitdiff;h=319446f CVE-2015-0920 (Cross-site request forgery (CSRF) vulnerability in the Banner Effect H ...) NOT-FOR-US: Banner Effect Header plugin for WordPress CVE-2015-0919 (Multiple SQL injection vulnerabilities in the administrative backend i ...) NOT-FOR-US: Sefrengo CVE-2015-0918 (Cross-site scripting (XSS) vulnerability in the administrative backend ...) NOT-FOR-US: Sefrengo CVE-2015-0917 (Cross-site scripting (XSS) vulnerability in the backend in Kajona befo ...) NOT-FOR-US: Kajona CVE-2015-0916 (SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows ...) - cacti 0.8.6f-1 CVE-2015-0915 (Cross-site scripting (XSS) vulnerability in RAKUS MailDealer 11.2.1 an ...) NOT-FOR-US: RAKUS MailDealer CVE-2015-0914 (EasyCTF before 1.4 does not validate the session ID, which allows remo ...) NOT-FOR-US: EasyCTF CVE-2015-0913 (Cross-site scripting (XSS) vulnerability in EasyCTF before 1.4 allows ...) NOT-FOR-US: EasyCTF CVE-2015-0912 (EasyCTF before 1.4 allows remote authenticated users to write executab ...) NOT-FOR-US: EasyCTF CVE-2015-0911 (Directory traversal vulnerability in TAGAWA Takao TransmitMail 1.0.11 ...) NOT-FOR-US: TAGAWA Takao TransmitMail CVE-2015-0910 (Cross-site scripting (XSS) vulnerability in TAGAWA Takao TransmitMail ...) NOT-FOR-US: TAGAWA Takao TransmitMail CVE-2015-0909 RESERVED CVE-2015-0908 RESERVED CVE-2015-0907 (Buffer overflow in Lhaplus before 1.70 allows remote attackers to exec ...) NOT-FOR-US: Lhaplus CVE-2015-0906 (Directory traversal vulnerability in Lhaplus before 1.70 allows remote ...) NOT-FOR-US: Lhaplus CVE-2015-0905 (Cross-site request forgery (CSRF) vulnerability in bBlog allows remote ...) NOT-FOR-US: bBlog CVE-2015-0904 (The Restaurant Karaoke SHIDAX app 1.3.3 and earlier on Android does no ...) NOT-FOR-US: Restaurant Karaoke SHIDAX app CVE-2015-0903 (Buffer overflow in Saitoh Kikaku Maruo Editor 8.51 and earlier allows ...) NOT-FOR-US: Saitoh Kikaku Maruo Editor CVE-2015-0902 (The Semper Fi All in One SEO Pack plugin before 2.2.6 for WordPress do ...) NOT-FOR-US: WordPress plugin all-in-one-seo-pack CVE-2015-0901 (Cross-site scripting (XSS) vulnerability in the duwasai flashy theme 1 ...) NOT-FOR-US: WordPress duwasai flashy theme CVE-2015-0900 (Cross-site scripting (XSS) vulnerability in schedule.cgi in Nishishi F ...) NOT-FOR-US: Nishishi Factory CVE-2015-0899 (The MultiPageValidator implementation in Apache Struts 1 1.1 through 1 ...) {DSA-3536-1 DLA-292-1} - libstruts1.2-java NOTE: Patch in SuSE Bugzilla: https://bugzilla.suse.com/attachment.cgi?id=629559 NOTE: Patch appplies cleanly to the Wheezy and Squeeze versions CVE-2015-0898 (futomi CGI Cafe MP Form Mail CGI eCommerce before 2.0.12 on Windows al ...) NOT-FOR-US: futomi CGI Cafe MP Form Mail CGI eCommerce CVE-2015-0897 RESERVED CVE-2015-0896 (Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer befor ...) {DLA-453-1 DLA-296-1} - extplorer (bug #783231) NOTE: Upstream fixes: http://extplorer.net/projects/extplorer/repository/revisions/240 CVE-2015-0895 (Cross-site request forgery (CSRF) vulnerability in the All In One WP S ...) NOT-FOR-US: All In One WP Security & Firewall plugin for WordPress CVE-2015-0894 (SQL injection vulnerability in the All In One WP Security & Firewa ...) NOT-FOR-US: All In One WP Security & Firewall plugin for WordPress CVE-2015-0893 (Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Rela ...) NOT-FOR-US: Maroyaka CVE-2015-0892 (Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Imag ...) NOT-FOR-US: Maroyaka CVE-2015-0891 (Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Simp ...) NOT-FOR-US: Maroyaka CVE-2015-0890 (The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for ...) NOT-FOR-US: BestWebSoft plugin for WordPress CVE-2015-0889 (KENT-WEB Joyful Note before 5.3 allows remote attackers to delete file ...) NOT-FOR-US: KENT-WEB Joyful Note CVE-2015-0888 (KENT-WEB Clip Board before 4.1 allows remote attackers to delete arbit ...) NOT-FOR-US: KENT-WEB Clip Board CVE-2015-0887 (npppd in the PPP Access Concentrator (PPPAC) on SEIL SEIL/x86 Fuji rou ...) NOT-FOR-US: SEIL routers CVE-2015-0886 (Integer overflow in the crypt_raw method in the key-stretching impleme ...) - libjbcrypt-java 0.4-1 (bug #780102) [jessie] - libjbcrypt-java (Minor issue) [wheezy] - libjbcrypt-java (Minor issue) [squeeze] - libjbcrypt-java (Minor issue) CVE-2015-0885 (checkpw 1.02 and earlier allows remote attackers to cause a denial of ...) {DSA-3192-1 DLA-191-1} - checkpw 1.02-1.1 (bug #780139) CVE-2015-0884 (Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack ...) NOT-FOR-US: Toshiba Bluetooth Stack CVE-2015-0883 (SYNCK GRAPHICA Mailform Pro CGI 4.1.4 and 4.1.5, when the mailauth mod ...) NOT-FOR-US: Mailform Pro CVE-2015-0882 (Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka ...) NOT-FOR-US: Zen Cart CVE-2015-0881 (CRLF injection vulnerability in Squid before 3.1.1 allows remote attac ...) - squid 4.1-1 (low) [squeeze] - squid (Minor issue) [wheezy] - squid (Minor issue) - squid3 3.1.1-1 NOTE: https://www.openwall.com/lists/oss-security/2015/03/01/2 NOTE: Patch: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9619.patch NOTE: https://jvn.jp/en/jp/JVN64455813/index.html CVE-2015-0880 (Buffer overflow in CREAR AL-Mail32 before 1.13d allows remote attacker ...) NOT-FOR-US: CREAR AL-Mail32 CVE-2015-0879 (CREAR AL-Mail32 before 1.13d allows remote attackers to cause a denial ...) NOT-FOR-US: CREAR AL-Mail32 CVE-2015-0878 (Directory traversal vulnerability in CREAR AL-Mail32 before 1.13d allo ...) NOT-FOR-US: CREAR AL-Mail32 CVE-2015-0877 (Unrestricted file upload vulnerability in app/lib/mlf.pl in C-BOARD Mo ...) NOT-FOR-US: C-BOARD Moyuku CVE-2015-0876 (Multiple cross-site scripting (XSS) vulnerabilities in the print_langu ...) NOT-FOR-US: Saurus CMS CVE-2015-0875 (The Ogaki Kyoritsu Bank Smartphone Passbook application 1.0.0 for Andr ...) NOT-FOR-US: Ogaki Kyoritsu Bank Smartphone Passbook application for Android CVE-2015-0874 (Smartphone Passbook 1.0.0 does not verify X.509 certificates from SSL ...) NOT-FOR-US: Smartphone Passbook CVE-2015-0873 (Cross-site scripting (XSS) vulnerability in Homepage Decorator PerlTre ...) NOT-FOR-US: PerlTreeBBS CVE-2015-0872 REJECTED CVE-2015-0871 (Cross-site scripting (XSS) vulnerability in Mrs. Shiromuku Perl CGI sh ...) NOT-FOR-US: Mrs. Shiromuku Perl CGI shiromuku(u1)GUESTBOOK CVE-2015-0870 (Cross-site scripting (XSS) vulnerability in hb.cgi in Nishishi Factory ...) NOT-FOR-US: Nishishi Factory CVE-2015-0869 (I-O DATA DEVICE NP-BBRM routers allow remote attackers to cause a deni ...) NOT-FOR-US: I-O DATA DEVICE NP-BBRM routers CVE-2015-0868 (Unrestricted file upload vulnerability in Mrs. Shiromuku Perl CGI shir ...) NOT-FOR-US: Mrs. Shiromuku Perl CGI shiromuku(bu2)BBS CVE-2015-0867 (Directory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3 ...) NOT-FOR-US: SYNCK GRAPHICA Download Log CGI CVE-2015-0866 (Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngi ...) NOT-FOR-US: ZOHO ManageEngine SupportCenter Plus CVE-2015-0865 RESERVED CVE-2015-0864 (Samsung Account (AKA com.osp.app.signin) before 1.6.0069 and 2.x befor ...) NOT-FOR-US: Samsung CVE-2015-0863 (GALAXY Apps (aka Samsung Apps, Samsung Updates, or com.sec.android.app ...) NOT-FOR-US: Samsung GALAXY Apps CVE-2015-0862 (Multiple cross-site scripting (XSS) vulnerabilities in the management ...) - rabbitmq-server 3.4.3-1 [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (Minor issue) [squeeze] - rabbitmq-server (Management web UI not available in version 1.8.1) CVE-2015-0861 (model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4 ...) {DSA-3425-1} - tryton-server 3.8.1-1 [wheezy] - tryton-server (Version < 3.2) [squeeze] - tryton-server (Version < 3.2) NOTE: Mathias Behrle told us that affected versions are >= 3.2 and < 3.8.1 CVE-2015-0860 (Off-by-one error in the extracthalf function in dpkg-deb/extract.c in ...) {DSA-3407-1} - dpkg 1.18.4 [squeeze] - dpkg (Vulnerable code not present) CVE-2015-0859 (The Debian build procedure for the smokeping package in wheezy before ...) {DSA-3405-1} - smokeping 2.6.11-2 [squeeze] - smokeping (Vulnerable code not present) CVE-2015-0858 (Cool Projects TarDiff allows local users to write to arbitrary files v ...) {DSA-3562-1 DLA-564-1} - tardiff 0.1-3 NOTE: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=9bd6a07bc204472ac27242cea16f89943b43003a CVE-2015-0857 (Cool Projects TarDiff allows remote attackers to execute arbitrary com ...) {DSA-3562-1 DLA-564-1} - tardiff 0.1-5 NOTE: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=9bd6a07bc204472ac27242cea16f89943b43003a NOTE: Assignment is done for injection through file names and tar file name itself NOTE: First part was addressed in 0.1-3 but does not contain the fix for the tar NOTE: file name itself. NOTE: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=a18e8df51511df276e61dbccdbe1714fc53af965 CVE-2015-0856 (daemon/Greeter.cpp in sddm before 0.13.0 does not properly disable the ...) - sddm 0.12.0-5 (bug #803336; low) NOTE: https://github.com/sddm/sddm/commit/4cfed6b0a625593 CVE-2015-0855 (The _mediaLibraryPlayCb function in mainwindow.py in pitivi before 0.9 ...) - pitivi 0.95-1 [jessie] - pitivi (Minor issue) [squeeze] - pitivi (Vulnerable code not present (no os.system())) [wheezy] - pitivi (Vulnerable code not present (no os.system())) NOTE: https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2 (RELEASE-0_95_0) CVE-2015-0854 (App/HelperFunctions.pm in Shutter through 0.93.1 allows user-assisted ...) {DLA-769-1} - shutter 0.93.1-1 (low; bug #798862) [jessie] - shutter 0.92-0.1+deb8u1 [squeeze] - shutter (Minor issue) NOTE: https://bugs.launchpad.net/shutter/+bug/1495163 CVE-2015-0853 (svn-workbench 1.6.2 and earlier on a system with xeyes installed allow ...) - svn-workbench 1.7.0-1 (low; bug #798863) [jessie] - svn-workbench (Minor issue) [wheezy] - svn-workbench (Minor issue) [squeeze] - svn-workbench (Minor issue) CVE-2015-0852 (Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and e ...) {DSA-3392-1 DLA-327-1} - freeimage 3.15.4-5 (bug #797165) NOTE: http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.17&r2=1.18&pathrev=MAIN NOTE: http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.18&r2=1.19&pathrev=MAIN CVE-2015-0851 (XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Servic ...) {DSA-3321-1 DLA-290-1} - xmltooling 1.5.6-1 (bug #793855) NOTE: http://shibboleth.net/community/advisories/secadv_20150721.txt NOTE: Patch: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900 NOTE: Initial advisory was listing the wrong CVE, updated later NOTE: opensaml2 will need binNMUs/sourcefull upload (cf. #794851) NOTE: [squeeze] partially affected (util/XMLHelper.cpp XMLHelper::getAttrInt method not present) (1.3.3.x) CVE-2015-0850 (The Git plugin for FusionForge before 6.0rc4 allows remote attackers t ...) {DSA-3275-1} - fusionforge 6.0~rc4-1 [squeeze] - fusionforge (Affects 5.3 and later) NOTE: https://scm.fusionforge.org/anonscm/gitweb?p=fusionforge/fusionforge.git;a=commitdiff;h=afcfe76f5195af4566ff3a8280714383fcdb5a67 NOTE: https://fusionforge.org/forum/forum.php?forum_id=41 CVE-2015-0849 [predictable temporary file vulnerability] RESERVED - pycode-browser 1:1.0-1 (unimportant; bug #790365) NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-0848 (Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers t ...) {DSA-3302-1 DLA-253-1} - libwmf 0.2.8.4-10.4 (bug #787644) CVE-2015-0847 (nbd-server.c in Network Block Device (nbd-server) before 3.11 does not ...) {DSA-3271-1 DLA-223-1} - nbd 1:3.10-1 (bug #784657) NOTE: http://sourceforge.net/p/nbd/mailman/message/34091218/ CVE-2015-0846 (django-markupfield before 1.3.2 uses the default docutils RESTRUCTURED ...) {DSA-3230-1 DLA-206-1} - django-markupfield 1.3.2-1 NOTE: https://github.com/jamesturk/django-markupfield/commit/b45734ea1d206abc1ed2a90bdc779708066d49f3 CVE-2015-0845 (Format string vulnerability in Movable Type Pro, Open Source, and Adva ...) {DSA-3227-1} - movabletype-opensource [squeeze] - movabletype-opensource (Not supported in Squeeze LTS) NOTE: https://movabletype.org/news/2015/04/movable_type_608_and_5213_released_to_close_security_vulnera.html CVE-2015-0844 (The WML/Lua API in Battle for Wesnoth 1.7.x through 1.11.x and 1.12.x ...) {DSA-3218-1 DLA-202-1} - wesnoth-1.12 1:1.12.2-1 - wesnoth-1.10 1:1.10.7-2 - wesnoth-1.8 CVE-2015-0843 [Buffer overflows due to misuse of sprintf] RESERVED - yubiserver 0.6-1 (bug #796495) [jessie] - yubiserver (Mitigated by toolchain hardening) [wheezy] - yubiserver (Can be fixed via a point release) CVE-2015-0842 [SQL injection issues (potential auth bypass)] RESERVED - yubiserver 0.6-1 (bug #796495) [jessie] - yubiserver (Minor issue) [wheezy] - yubiserver (Minor issue) CVE-2015-0841 (Off-by-one error in the readBuf function in listener.cpp in libcapsine ...) - libcapsinetwork (bug #781044; unimportant) [experimental] - monopd 0.9.8-1 - monopd (bug #781043; unimportant) NOTE: Not exploitable with dlmalloc CVE-2015-0840 (The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x befor ...) {DSA-3217-1 DLA-220-1} - dpkg 1.17.25 NOTE: Ubuntu fix for 1.15.x (version in squeeze): http://launchpadlibrarian.net/202647129/dpkg_1.15.5.6ubuntu4.9_1.15.5.6ubuntu4.10.diff.gz CVE-2015-0839 (The hp-plugin utility in HP Linux Imaging and Printing (HPLIP) makes i ...) {DLA-775-1} - hplip 3.15.11+repack0-1 (bug #787353; bug #796015) [jessie] - hplip 3.14.6-1+deb8u1 [squeeze] - hplip (Minor issue) NOTE: http://seclists.org/oss-sec/2015/q2/581 NOTE: https://bugs.launchpad.net/bugs/1432516 CVE-2015-0838 (Buffer overflow in the C implementation of the apply_delta function in ...) {DSA-3206-1 DLA-231-1} - dulwich 0.10.1-1 (bug #780958) [jessie] - dulwich 0.9.7-3 CVE-2015-0837 (The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.1 ...) {DSA-3185-1 DSA-3184-1 DLA-190-1 DLA-175-1} - libgcrypt11 - libgcrypt20 1.6.3-2 - gnupg 1.4.18-7 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=6cbc75e71295f23431c4ab95edc7573f2fc28476 CVE-2015-0836 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3179-1 DSA-3174-1} - iceweasel 31.5.0esr-1 [squeeze] - iceweasel - icedove 31.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-11/ CVE-2015-0835 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-11/ CVE-2015-0834 (The WebRTC subsystem in Mozilla Firefox before 36.0 recognizes turns: ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-15/ CVE-2015-0833 (Multiple untrusted search path vulnerabilities in updater.exe in Mozil ...) - iceweasel (Specific to Firefox on Windows) - icedove (Specific to Thunderbird on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-12/ CVE-2015-0832 (Mozilla Firefox before 36.0 does not properly recognize the equivalenc ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-13/ CVE-2015-0831 (Use-after-free vulnerability in the mozilla::dom::IndexedDB::IDBObject ...) {DSA-3179-1 DSA-3174-1} - iceweasel 31.5.0esr-1 [squeeze] - iceweasel - icedove 31.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-16/ CVE-2015-0830 (The WebGL implementation in Mozilla Firefox before 36.0 does not prope ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-14/ CVE-2015-0829 (Buffer overflow in libstagefright in Mozilla Firefox before 36.0 allow ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-17/ CVE-2015-0828 (Double free vulnerability in the nsXMLHttpRequest::GetResponse functio ...) - iceweasel (Doesn't affect the memory allocator used in the Debian builds) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-18/ CVE-2015-0827 (Heap-based buffer overflow in the mozilla::gfx::CopyRect function in M ...) {DSA-3179-1 DSA-3174-1} - iceweasel 31.5.0esr-1 [squeeze] - iceweasel - icedove 31.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-19/ CVE-2015-0826 (The nsTransformedTextRun::SetCapitalization function in Mozilla Firefo ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-20/ CVE-2015-0825 (Stack-based buffer underflow in the mozilla::MP3FrameParser::ParseBuff ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-21/ CVE-2015-0824 (The mozilla::layers::BufferTextureClient::AllocateForSurface function ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-22/ CVE-2015-0823 (Multiple use-after-free vulnerabilities in OpenType Sanitiser, as used ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-23/ CVE-2015-0822 (The Form Autocompletion feature in Mozilla Firefox before 36.0, Firefo ...) {DSA-3179-1 DSA-3174-1} - iceweasel 31.5.0esr-1 [squeeze] - iceweasel - icedove 31.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-24/ CVE-2015-0821 (Mozilla Firefox before 36.0 allows user-assisted remote attackers to r ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-25/ CVE-2015-0820 (Mozilla Firefox before 36.0 does not properly restrict transitions of ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-27/ CVE-2015-0819 (The UITour::onPageEvent function in Mozilla Firefox before 36.0 does n ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-26/ CVE-2015-0818 (Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and Sea ...) {DSA-3201-1} - iceweasel 31.5.3esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/ CVE-2015-0817 (The asm.js implementation in Mozilla Firefox before 36.0.3, Firefox ES ...) {DSA-3201-1} - iceweasel 31.5.3esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/ CVE-2015-0816 (Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunder ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-33/ CVE-2015-0815 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/ CVE-2015-0814 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (only affects Firefox 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/ CVE-2015-0813 (Use-after-free vulnerability in the AppendElements function in Mozilla ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-31/ CVE-2015-0812 (Mozilla Firefox before 37.0 does not require an HTTPS session for ligh ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-32/ CVE-2015-0811 (The QCMS implementation in Mozilla Firefox before 37.0 allows remote a ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-34/ CVE-2015-0810 (Mozilla Firefox before 37.0 on OS X does not ensure that the cursor is ...) - iceweasel (Only affects 37.x; only affects OS X systems) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-35/ CVE-2015-0809 RESERVED CVE-2015-0808 (The webrtc::VPMContentAnalysis::Release function in the WebRTC impleme ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-36/ CVE-2015-0807 (The navigator.sendBeacon implementation in Mozilla Firefox before 37.0 ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-37/ CVE-2015-0806 (The Off Main Thread Compositing (OMTC) implementation in Mozilla Firef ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-38/ CVE-2015-0805 (The Off Main Thread Compositing (OMTC) implementation in Mozilla Firef ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-38/ CVE-2015-0804 (The HTMLSourceElement::BindToTree function in Mozilla Firefox before 3 ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-39/ CVE-2015-0803 (The HTMLSourceElement::AfterSetAttr function in Mozilla Firefox before ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-39/ CVE-2015-0802 (Mozilla Firefox before 37.0 relies on docshell type information instea ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-42/ CVE-2015-0801 (Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunder ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-40/ CVE-2015-0800 (The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fe ...) - iceweasel (Only affects 37.x; only on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-41/ CVE-2015-0799 (The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1 ...) - iceweasel (Only affects Firefox 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/ CVE-2015-0798 (The Reader mode feature in Mozilla Firefox before 37.0.1 on Android, a ...) - iceweasel (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-43/ CVE-2015-0797 (GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefo ...) {DSA-3264-1 DSA-3260-1 DSA-3225-1 DLA-2164-1} - gst-plugins-bad0.10 (bug #784220) [squeeze] - gst-plugins-bad0.10 (vulnerable code (gst/videoparsers/*) introduced later) - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-47/ CVE-2015-0796 (In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before ...) - open-build-service (Fixed before initial upload) CVE-2015-0795 (Multiple stack-based buffer overflows in the SafeShellExecute method i ...) NOT-FOR-US: NetIQ CVE-2015-0794 (modules.d/90crypt/module-setup.sh in the dracut package before 037-17. ...) - dracut (Vulnerable code not present) NOTE: http://lists.opensuse.org/opensuse-updates/2015-11/msg00098.html NOTE: http://lists.opensuse.org/opensuse-bugs/2015-06/msg02585.html NOTE: http://lists.opensuse.org/opensuse-bugs/2015-06/msg02580.html NOTE: This seem to be a SuSE specific issue. src:dracut does not contain unsafe NOTE: handling of a /tmp/dracut_block_uuid.map file in any checked version. CVE-2015-0793 REJECTED CVE-2015-0792 REJECTED CVE-2015-0791 REJECTED CVE-2015-0790 REJECTED CVE-2015-0789 REJECTED CVE-2015-0788 REJECTED CVE-2015-0787 (XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote ...) NOT-FOR-US: NetIQ Designer for Identity Manager CVE-2015-0786 (Stack-based buffer overflow in the logging functionality in the Preboo ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0785 (com.novell.zenworks.inventory.rtr.actionclasses.wcreports in Novell ZE ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0784 (Rtrlet.class in Novell ZENworks Configuration Management (ZCM) allows ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0783 (The FileViewer class in Novell ZENworks Configuration Management (ZCM) ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0782 (SQL injection vulnerability in the ScheduleQuery method of the schedul ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0781 (Directory traversal vulnerability in the doPost method of the Rtrlet c ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0780 (SQL injection vulnerability in the GetReRequestData method of the GetS ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0779 (Directory traversal vulnerability in UploadServlet in Novell ZENworks ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0778 (osc before 0.151.0 allows remote attackers to execute arbitrary comman ...) - osc 0.149.0-2 (low; bug #780410) [wheezy] - osc 0.134.1-2+deb7u1 [squeeze] - osc (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=901643 CVE-2015-0777 (drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3 ...) - linux (Addon Xen usbback patch not present) - linux-2.6 (Addon Xen usbback patch not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=917830 CVE-2015-0776 (telnetd in Cisco IOS XR 5.0.1 on Network Convergence System 6000 devic ...) NOT-FOR-US: Cisco IOS CVE-2015-0775 (The banner (aka MOTD) implementation in Cisco NX-OS 4.1(2)E1(1f) on Ne ...) NOT-FOR-US: Cisco NX-OS CVE-2015-0774 (Cross-site scripting (XSS) vulnerability in Cisco Application and Cont ...) NOT-FOR-US: Cisco Application and Content Networking System CVE-2015-0773 (Cisco FireSIGHT System Software 5.3.1.3 and 6.0.0 allows remote authen ...) NOT-FOR-US: Cisco FireSIGHT System Software CVE-2015-0772 (Cisco TelePresence Video Communication Server (VCS) X8.5RC4 allows rem ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-0771 (The IKE implementation in the WS-IPSEC-3 service module in Cisco IOS 1 ...) NOT-FOR-US: Cisco IOS CVE-2015-0770 (CRLF injection vulnerability in Cisco TelePresence TC 6.x before 6.3.4 ...) NOT-FOR-US: Cisco TelePresence TC Software CVE-2015-0769 (Cisco IOS XR 4.0.1 through 4.2.0 for CRS-3 Carrier Routing System allo ...) NOT-FOR-US: Cisco IOS CVE-2015-0768 (The Device Work Center (DWC) component in Cisco Prime Network Control ...) NOT-FOR-US: Cisco Prime Network Control System CVE-2015-0767 (Cisco Edge 300 software 1.0 and 1.1 on Edge 340 devices allows local u ...) NOT-FOR-US: Cisco CVE-2015-0766 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Cisco CVE-2015-0765 (Cisco ONS 15454 System Software 10.30 and 10.301 allows remote attacke ...) NOT-FOR-US: Cisco CVE-2015-0764 (Cisco Unified MeetingPlace 8.6(1.9) allows remote attackers to read ar ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-0763 (Cisco Unified MeetingPlace 8.6(1.2) does not properly validate session ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-0762 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-0761 (Cisco AnyConnect Secure Mobility Client before 3.1(8009) and 4.x befor ...) NOT-FOR-US: Cisco AnyConnect Secure Mobility Client CVE-2015-0760 (The IKEv1 implementation in Cisco ASA Software 7.x, 8.0.x, 8.1.x, and ...) NOT-FOR-US: Cisco ASA CVE-2015-0759 (Cross-site request forgery (CSRF) vulnerability in Cisco Headend Digit ...) NOT-FOR-US: Cisco CVE-2015-0758 (The web-based user interface in Cisco Unified MeetingPlace 8.6(1.9) al ...) NOT-FOR-US: Cisco CVE-2015-0757 (The web framework in Cisco Identity Services Engine (ISE) 1.2(1.901) a ...) NOT-FOR-US: Cisco CVE-2015-0756 (Cisco Wireless LAN Controller (WLC) devices with software 7.4(1.1) all ...) NOT-FOR-US: Cisco CVE-2015-0755 (The Posture module for Cisco Identity Services Engine (ISE), as distri ...) NOT-FOR-US: Cisco CVE-2015-0754 (Cisco Finesse 10.5(1) allows remote authenticated users to obtain sens ...) NOT-FOR-US: Cisco CVE-2015-0753 (SQL injection vulnerability in Cisco Unified Email Interaction Manager ...) NOT-FOR-US: Cisco CVE-2015-0752 (Cross-site scripting (XSS) vulnerability in Cisco TelePresence Video C ...) NOT-FOR-US: Cisco CVE-2015-0751 (Cisco IP Phone 7861, when firmware from Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2015-0750 (The administrative web interface in Cisco Hosted Collaboration Solutio ...) NOT-FOR-US: Cisco CVE-2015-0749 (A vulnerability in Cisco Unified Communications Manager could allow an ...) NOT-FOR-US: Cisco CVE-2015-0748 RESERVED CVE-2015-0747 (Cisco Conductor for Videoscape 3.0 and Cisco Headend System Release al ...) NOT-FOR-US: Cisco CVE-2015-0746 (The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows r ...) NOT-FOR-US: Cisco Access Control Server CVE-2015-0745 (Cisco Headend System Release allows remote attackers to read temporary ...) NOT-FOR-US: Cisco CVE-2015-0744 (Cisco DTA Control System (DTACS) 4.0.0.9 and Cisco Headend System Rele ...) NOT-FOR-US: Cisco CVE-2015-0743 (Cisco Headend System Release allows remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2015-0742 (The Protocol Independent Multicast (PIM) application in Cisco Adaptive ...) NOT-FOR-US: Cisco CVE-2015-0741 (Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Pr ...) NOT-FOR-US: Cisco CVE-2015-0740 (Cross-site request forgery (CSRF) vulnerability in Cisco Unified Intel ...) NOT-FOR-US: Cisco CVE-2015-0739 (The Lights-Out Management (LOM) implementation in Cisco FireSIGHT Syst ...) NOT-FOR-US: Cisco CVE-2015-0738 (Cross-site scripting (XSS) vulnerability in the Web Tracking Report pa ...) NOT-FOR-US: Cisco CVE-2015-0737 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSIGHT ...) NOT-FOR-US: Cisco FireSIGHT System Software CVE-2015-0736 (Cross-site request forgery (CSRF) vulnerability in Cisco MediaSense 10 ...) NOT-FOR-US: Cisco CVE-2015-0735 (Cross-site request forgery (CSRF) vulnerability in Cisco Unified Custo ...) NOT-FOR-US: Cisco CVE-2015-0734 (Multiple cross-site scripting (XSS) vulnerabilities on the Cisco Email ...) NOT-FOR-US: Cisco CVE-2015-0733 (CRLF injection vulnerability in the HTTP Header Handler in Digital Bro ...) NOT-FOR-US: Cisco CVE-2015-0732 (Cross-site scripting (XSS) vulnerability in Cisco AsyncOS on the Web S ...) NOT-FOR-US: Cisco CVE-2015-0731 (The ISDN implementation in Cisco IOS 15.3S allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-0730 (The SMB module in Cisco Wide Area Application Services (WAAS) 6.0(1) a ...) NOT-FOR-US: Cisco CVE-2015-0729 (Cross-site scripting (XSS) vulnerability in Cisco Secure Access Contro ...) NOT-FOR-US: Cisco CVE-2015-0728 (Cross-site scripting (XSS) vulnerability in Cisco Access Control Serve ...) NOT-FOR-US: Cisco CVE-2015-0727 (Cross-site scripting (XSS) vulnerability in the HTTP module in Cisco S ...) NOT-FOR-US: Cisco CVE-2015-0726 (The web administration interface on Cisco Wireless LAN Controller (WLC ...) NOT-FOR-US: Cisco CVE-2015-0725 (Cisco Videoscape Distribution Suite Service Broker (aka VDS-SB), when ...) NOT-FOR-US: Cisco CVE-2015-0724 (Multiple cross-site scripting (XSS) vulnerabilities in dncs 7.0.0.12 i ...) NOT-FOR-US: Cisco CVE-2015-0723 (The wireless web-authentication subsystem on Cisco Wireless LAN Contro ...) NOT-FOR-US: Cisco CVE-2015-0722 (The network drivers in Cisco TelePresence T, Cisco TelePresence TE, an ...) NOT-FOR-US: Cisco CVE-2015-0721 (Cisco NX-OS 4.0 through 7.3 on Multilayer Director and Nexus 1000V, 20 ...) NOT-FOR-US: Cisco CVE-2015-0720 RESERVED CVE-2015-0719 RESERVED CVE-2015-0718 (Cisco NX-OS 4.0 through 6.1 on Nexus 1000V 3000, 4000, 5000, 6000, and ...) NOT-FOR-US: Cisco NX-OS CVE-2015-0717 (Cisco Unified Communications Manager 10.0(1.10000.12) allows local use ...) NOT-FOR-US: Cisco CVE-2015-0716 (Cross-site request forgery (CSRF) vulnerability in the CUCReports page ...) NOT-FOR-US: Cisco Unity Connection CVE-2015-0715 (SQL injection vulnerability in the administrative web interface in Cis ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2015-0714 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse S ...) NOT-FOR-US: Cisco Finesse CVE-2015-0713 (The web framework in Cisco TelePresence Advanced Media Gateway Series ...) NOT-FOR-US: Cisco CVE-2015-0712 (The session-manager service in Cisco StarOS 12.0, 12.2(300), 14.0, and ...) NOT-FOR-US: Cisco StarOS CVE-2015-0711 (The hamgr service in the IPv6 Proxy Mobile (PM) implementation in Cisc ...) NOT-FOR-US: Cisco StarOS CVE-2015-0710 (The Overlay Transport Virtualization (OTV) implementation in Cisco IOS ...) NOT-FOR-US: Cisco IOS XE CVE-2015-0709 (Cisco IOS 15.5S and IOS XE allow remote authenticated users to cause a ...) NOT-FOR-US: Cisco IOS CVE-2015-0708 (Cisco IOS 15.4S, 15.4SN, and 15.5S and IOS XE 3.13S and 3.14S allow re ...) NOT-FOR-US: Cisco IOS CVE-2015-0707 (Cross-site scripting (XSS) vulnerability in Cisco FireSIGHT System Sof ...) NOT-FOR-US: Cisco CVE-2015-0706 (Open redirect vulnerability in Cisco FireSIGHT System Software 5.3.1.1 ...) NOT-FOR-US: Cisco CVE-2015-0705 (Cross-site request forgery (CSRF) vulnerability in the SOAP API endpoi ...) NOT-FOR-US: Cisco CVE-2015-0704 (Multiple cross-site request forgery (CSRF) vulnerabilities in API feat ...) NOT-FOR-US: Cisco CVE-2015-0703 (Cross-site scripting (XSS) vulnerability in the administrative web int ...) NOT-FOR-US: Cisco CVE-2015-0702 (Unrestricted file upload vulnerability in the Custom Prompts upload im ...) NOT-FOR-US: Cisco CVE-2015-0701 (Cisco UCS Central Software before 1.3(1a) allows remote attackers to e ...) NOT-FOR-US: Cisco UCS CVE-2015-0700 (Cross-site request forgery (CSRF) vulnerability in the Dashboard page ...) NOT-FOR-US: Cisco CVE-2015-0699 (SQL injection vulnerability in the Interactive Voice Response (IVR) co ...) NOT-FOR-US: Cisco CVE-2015-0698 (Multiple cross-site scripting (XSS) vulnerabilities in filter search f ...) NOT-FOR-US: Cisco WSA CVE-2015-0697 (Open redirect vulnerability in the login page in Cisco TC Software bef ...) NOT-FOR-US: Cisco CVE-2015-0696 (Cross-site scripting (XSS) vulnerability in the login page in Cisco TC ...) NOT-FOR-US: Cisco CVE-2015-0695 (Cisco IOS XR 4.3.4 through 5.3.0 on ASR 9000 devices, when uRPF, PBR, ...) NOT-FOR-US: Cisco IOS CVE-2015-0694 (Cisco ASR 9000 devices with software 5.3.0.BASE do not recognize that ...) NOT-FOR-US: Cisco CVE-2015-0693 (Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 ...) NOT-FOR-US: Cisco WSA CVE-2015-0692 (Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 ...) NOT-FOR-US: Cisco WSA CVE-2015-0691 (A certain Cisco JAR file, as distributed in Cache Cleaner in Cisco Sec ...) NOT-FOR-US: Cisco Secure Desktop Cache Cleaner CVE-2015-0690 (Cross-site scripting (XSS) vulnerability in the HTML help system on Ci ...) NOT-FOR-US: Cisco CVE-2015-0689 (Cisco Cloud Web Security before 3.0.1.7 allows remote attackers to byp ...) NOT-FOR-US: Cisco CVE-2015-0688 (Cisco IOS XE 3.10.2S on an ASR 1000 device with an Embedded Services P ...) NOT-FOR-US: Cisco CVE-2015-0687 (The SNMP implementation in Cisco IOS 15.1(2)SG4 on Catalyst 4500 devic ...) NOT-FOR-US: Cisco CVE-2015-0686 (The SNMP implementation in Cisco NX-OS 6.1(2)I2(3) on Nexus 9000 devic ...) NOT-FOR-US: Cisco CVE-2015-0685 (Cisco IOS XE before 3.7.5S on ASR 1000 devices does not properly handl ...) NOT-FOR-US: Cisco CVE-2015-0684 (SQL injection vulnerability in the Image Management component in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0683 (Cisco Unified Communications Domain Manager 8.1(4) allows remote authe ...) NOT-FOR-US: Cisco CVE-2015-0682 (Cisco Unified Communications Domain Manager 8.1(4) allows remote authe ...) NOT-FOR-US: Cisco CVE-2015-0681 (The TFTP server in Cisco IOS 12.2(44)SQ1, 12.2(33)XN1, 12.4(25e)JAM1, ...) NOT-FOR-US: Cisco IOS CVE-2015-0680 (Cisco Unified Call Manager (CM) 9.1(2.1000.28) does not properly restr ...) NOT-FOR-US: Cisco CVE-2015-0679 (The web-authentication functionality on Cisco Wireless LAN Controller ...) NOT-FOR-US: Cisco CVE-2015-0678 (The virtualization layer in Cisco ASA FirePOWER Software before 5.3.1. ...) NOT-FOR-US: Cisco ASA CVE-2015-0677 (The XML parser in Cisco Adaptive Security Appliance (ASA) Software 8.4 ...) NOT-FOR-US: Cisco ASA CVE-2015-0676 (The DNS implementation in Cisco Adaptive Security Appliance (ASA) Soft ...) NOT-FOR-US: Cisco ASA CVE-2015-0675 (The failover ipsec implementation in Cisco Adaptive Security Appliance ...) NOT-FOR-US: Cisco ASA CVE-2015-0674 (Cross-site scripting (XSS) vulnerability in the Alert Service of Cisco ...) NOT-FOR-US: Cisco CVE-2015-0673 (Cisco Mobility Services Engine (MSE) 8.0(110.0) allows remote authenti ...) NOT-FOR-US: Cisco CVE-2015-0672 (The DHCPv4 server in Cisco IOS XR 5.2.2 on ASR 9000 devices allows rem ...) NOT-FOR-US: Cisco CVE-2015-0671 (The DNS implementation in Cisco Videoscape Distribution Suite for Inte ...) NOT-FOR-US: Cisco CVE-2015-0670 (The default configuration of Cisco Small Business IP phones SPA 300 7. ...) NOT-FOR-US: Cisco CVE-2015-0669 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0668 (Cross-site scripting (XSS) vulnerability in the administration portal ...) NOT-FOR-US: Cisco CVE-2015-0667 (The Management Interface on Cisco Content Services Switch (CSS) 11500 ...) NOT-FOR-US: Cisco CVE-2015-0666 (Directory traversal vulnerability in the fmserver servlet in Cisco Pri ...) NOT-FOR-US: Cisco CVE-2015-0665 (The Hostscan module in Cisco AnyConnect Secure Mobility Client 4.0(.00 ...) NOT-FOR-US: Cisco CVE-2015-0664 (The IPC channel in Cisco AnyConnect Secure Mobility Client 4.0(.00051) ...) NOT-FOR-US: Cisco CVE-2015-0663 (Cisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier does n ...) NOT-FOR-US: Cisco CVE-2015-0662 (Cisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier allows ...) NOT-FOR-US: Cisco CVE-2015-0661 (The SNMPv2 implementation in Cisco IOS XR allows remote authenticated ...) NOT-FOR-US: Cisco CVE-2015-0660 (Cisco Virtual TelePresence Server Software does not properly restrict ...) NOT-FOR-US: Cisco CVE-2015-0659 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0658 (The DHCP implementation in the PowerOn Auto Provisioning (POAP) featur ...) NOT-FOR-US: Cisco CVE-2015-0657 (Cisco IOS XR allows remote attackers to cause a denial of service (RSV ...) NOT-FOR-US: Cisco CVE-2015-0656 (Cross-site scripting (XSS) vulnerability in the login page in Cisco Ne ...) NOT-FOR-US: Cisco NAM CVE-2015-0655 (Cross-site scripting (XSS) vulnerability in Unified Web Interaction Ma ...) NOT-FOR-US: Cisco Unified Web CVE-2015-0654 (Race condition in the TLS implementation in MainApp in the management ...) NOT-FOR-US: Cisco CVE-2015-0653 (The management interface in Cisco TelePresence Video Communication Ser ...) NOT-FOR-US: Cisco CVE-2015-0652 (The Session Description Protocol (SDP) implementation in Cisco TelePre ...) NOT-FOR-US: Cisco CVE-2015-0651 (Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisc ...) NOT-FOR-US: Cisco CVE-2015-0650 (The Service Discovery Gateway (aka mDNS Gateway) in Cisco IOS 12.2, 12 ...) NOT-FOR-US: Cisco CVE-2015-0649 (Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3 allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-0648 (Memory leak in Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3 allows remot ...) NOT-FOR-US: Cisco CVE-2015-0647 (Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3 allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-0646 (Memory leak in the TCP input module in Cisco IOS 12.2, 12.4, 15.0, 15. ...) NOT-FOR-US: Cisco CVE-2015-0645 (The Layer 4 Redirect (L4R) feature in Cisco IOS XE 2.x and 3.x before ...) NOT-FOR-US: Cisco CVE-2015-0644 (AppNav in Cisco IOS XE 3.8 through 3.10 before 3.10.3S, 3.11 before 3. ...) NOT-FOR-US: Cisco CVE-2015-0643 (Cisco IOS 12.2, 12.4, 15.0, 15.1, 15.2, 15.3, and 15.4 and IOS XE 2.5. ...) NOT-FOR-US: Cisco CVE-2015-0642 (Cisco IOS 12.2, 12.4, 15.0, 15.1, 15.2, 15.3, and 15.4 and IOS XE 2.5. ...) NOT-FOR-US: Cisco CVE-2015-0641 (Cisco IOS XE 2.x and 3.x before 3.9.0S, 3.10 before 3.10.0S, 3.11 befo ...) NOT-FOR-US: Cisco CVE-2015-0640 (The high-speed logging (HSL) feature in Cisco IOS XE 2.x and 3.x befor ...) NOT-FOR-US: Cisco CVE-2015-0639 (The Common Flow Table (CFT) feature in Cisco IOS XE 3.6 and 3.7 before ...) NOT-FOR-US: Cisco CVE-2015-0638 (Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3, when a VRF interface is co ...) NOT-FOR-US: Cisco CVE-2015-0637 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0636 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0635 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0634 (Cross-site scripting (XSS) vulnerability in the administrative interfa ...) NOT-FOR-US: Cisco CVE-2015-0633 (The Integrated Management Controller (IMC) in Cisco Unified Computing ...) NOT-FOR-US: Cisco CVE-2015-0632 (Race condition in the Neighbor Discovery (ND) protocol implementation ...) NOT-FOR-US: Cisco IOS CVE-2015-0631 (Race condition in the SSL implementation on Cisco Intrusion Prevention ...) NOT-FOR-US: Cisco IPS CVE-2015-0630 RESERVED CVE-2015-0629 RESERVED CVE-2015-0628 (The proxy engine on Cisco Web Security Appliance (WSA) devices allows ...) NOT-FOR-US: Cisco WSA CVE-2015-0627 RESERVED CVE-2015-0626 (The SOAP interface in Cisco Hosted Collaboration Solution (HCS) allows ...) NOT-FOR-US: Cisco HCS CVE-2015-0625 RESERVED CVE-2015-0624 (The web framework in Cisco AsyncOS on Email Security Appliance (ESA), ...) NOT-FOR-US: Cisco CVE-2015-0623 (Cross-site scripting (XSS) vulnerability in the Administrator report p ...) NOT-FOR-US: Cisco WSA CVE-2015-0622 (The Wireless Intrusion Detection (aka WIDS) functionality on Cisco Wir ...) NOT-FOR-US: Cisco WLC CVE-2015-0621 (Cisco TelePresence MCU devices with software 4.5(1.45) allow remote at ...) NOT-FOR-US: Cisco TelePresence CVE-2015-0620 (The XML parser in Cisco TelePresence Management Suite (TMS) 14.3(.2) a ...) NOT-FOR-US: Cisco TelePresence CVE-2015-0619 (Memory leak in the embedded web server in the WebVPN subsystem in Cisc ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-0618 (Cisco IOS XR 5.0.1 and 5.2.1 on Network Convergence System (NCS) 6000 ...) NOT-FOR-US: Cisco IOS CVE-2015-0617 (Cisco ASR 5500 System Architecture Evolution (SAE) Gateway devices all ...) NOT-FOR-US: Cisco CVE-2015-0616 (The Connection Conversation Manager (aka CuCsMgr) process in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2015-0615 (The call-handling implementation in Cisco Unity Connection 8.5 before ...) NOT-FOR-US: Cisco CVE-2015-0614 (The Connection Conversation Manager (aka CuCsMgr) process in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2015-0613 (The Connection Conversation Manager (aka CuCsMgr) process in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2015-0612 (The Connection Conversation Manager (aka CuCsMgr) process in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2015-0611 (The administrative web-management portal in Cisco IX 8 (.0.1) and earl ...) NOT-FOR-US: Cisco TelePresence CVE-2015-0610 (Race condition in the object-group ACL feature in Cisco IOS 15.5(2)T a ...) NOT-FOR-US: Cisco CVE-2015-0609 (Race condition in the Common Classification Engine (CCE) in the Measur ...) NOT-FOR-US: Cisco CVE-2015-0608 (Race condition in the Measurement, Aggregation, and Correlation Engine ...) NOT-FOR-US: Cisco CVE-2015-0607 (The Authentication Proxy feature in Cisco IOS does not properly handle ...) NOT-FOR-US: Cisco CVE-2015-0606 (The IOS Shell in Cisco IOS allows local users to cause a denial of ser ...) NOT-FOR-US: Cisco CVE-2015-0605 (The uuencode inspection engine in Cisco AsyncOS on Cisco Email Securit ...) NOT-FOR-US: Cisco CVE-2015-0604 (The web framework on Cisco Unified IP 9900 phones with firmware 9.4(.1 ...) NOT-FOR-US: Cisco CVE-2015-0603 (Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier use wea ...) NOT-FOR-US: Cisco CVE-2015-0602 (The mobility extension on Cisco Unified IP 9900 phones with firmware 9 ...) NOT-FOR-US: Cisco CVE-2015-0601 (Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allow l ...) NOT-FOR-US: Cisco CVE-2015-0600 (The mobility extension on Cisco Unified IP 9900 phones with firmware 9 ...) NOT-FOR-US: Cisco CVE-2015-0599 (The web interface in Cisco Integrated Management Controller in Cisco U ...) NOT-FOR-US: Cisco CVE-2015-0598 (The RADIUS implementation in Cisco IOS and IOS XE allows remote attack ...) NOT-FOR-US: Cisco CVE-2015-0597 (The Forgot Password feature in Cisco WebEx Meetings Server 1.5(.1.131) ...) NOT-FOR-US: Cisco CVE-2015-0596 (Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meeting ...) NOT-FOR-US: Cisco CVE-2015-0595 (The XMLAPI in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allo ...) NOT-FOR-US: Cisco CVE-2015-0594 (Multiple cross-site scripting (XSS) vulnerabilities in the help pages ...) NOT-FOR-US: Cisco CVE-2015-0593 (The Zone-Based Firewall implementation in Cisco IOS 12.4(122)T and ear ...) NOT-FOR-US: Cisco CVE-2015-0592 (The Zone-Based Firewall implementation in Cisco IOS 15.4(2)T3 and earl ...) NOT-FOR-US: Cisco CVE-2015-0591 (Cisco Unified Communications Domain Manager (UCDM) 10 allows remote at ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2015-0590 (Cisco WebEx Meeting Center allows remote attackers to activate disable ...) NOT-FOR-US: Cisco WebEx CVE-2015-0589 (The administrative web interface in Cisco WebEx Meetings Server 1.0 th ...) NOT-FOR-US: Cisco CVE-2015-0588 (Cross-site request forgery (CSRF) vulnerability in Cisco Unified Commu ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2015-0587 RESERVED CVE-2015-0586 (The Network-Based Application Recognition (NBAR) protocol implementati ...) NOT-FOR-US: Cisco CVE-2015-0585 RESERVED CVE-2015-0584 (The image-upgrade implementation on Cisco Desktop Collaboration Experi ...) NOT-FOR-US: Cisco CVE-2015-0583 (Cisco WebEx Meeting Center does not properly restrict the content of U ...) NOT-FOR-US: Cisco WebEx Meeting Center CVE-2015-0582 (The High Availability (HA) subsystem in Cisco NX-OS on MDS 9000 device ...) NOT-FOR-US: Cisco NX-OS CVE-2015-0581 (The XML parser in Cisco Prime Service Catalog before 10.1 allows remot ...) NOT-FOR-US: Cisco CVE-2015-0580 (Multiple SQL injection vulnerabilities in the ACS View reporting inter ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2015-0579 (Cisco TelePresence Video Communication Server (VCS) and Cisco Expressw ...) NOT-FOR-US: Cisco TelePrecence Video Communication Server CVE-2015-0578 (Cisco Adaptive Security Appliance (ASA) Software, when a DHCPv6 relay ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-0577 (Multiple cross-site scripting (XSS) vulnerabilities in the IronPort Sp ...) NOT-FOR-US: Cisco AsyncOS CVE-2015-0576 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0575 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0574 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0573 (drivers/media/platform/msm/broadcast/tsc.c in the TSC driver for the L ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0572 (Multiple race conditions in drivers/char/adsprpc.c and drivers/char/ad ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0571 (The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0570 (Stack-based buffer overflow in the SET_WPS_IE IOCTL implementation in ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0569 (Heap-based buffer overflow in the private wireless extensions IOCTL im ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0568 (Use-after-free vulnerability in the msm_set_crop function in drivers/m ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0567 RESERVED CVE-2015-0566 RESERVED CVE-2015-0565 (NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks ...) - nacl (unimportant) NOTE: https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=284 NOTE: Limited impact, and for chromium itself the CLFLUSH instruction has been NOTE: disalowed. CVE-2015-1198 (Multiple directory traversal vulnerabilities in ha 0.999p+dfsg-5. ...) - ha (low; bug #774954) [squeeze] - ha (Minor issue) [wheezy] - ha (Minor issue) CVE-2015-1352 (The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) ...) {DSA-3195-1} - php5 5.6.6+dfsg-2 (bug #777036) [squeeze] - php5 (vulnerable code (build_tablename()) introduced later) NOTE: https://bugs.php.net/bug.php?id=68741 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=124fb22a13fafa3648e4e15b4f207c7096d8155e CVE-2015-1351 (Use-after-free vulnerability in the _zend_shared_memdup function in ze ...) - php5 5.6.6+dfsg-2 (bug #777033) [squeeze] - php5 (opcache introduced in 5.5) [wheezy] - php5 (opcache introduced in 5.5) NOTE: https://bugs.php.net/bug.php?id=68677 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=777c39f4042327eac4b63c7ee87dc1c7a09a3115 CVE-2015-XXXX [insecure keyring handling] - weboob 1.0-3 (low; bug #774838) [wheezy] - weboob (Minor issue) CVE-2015-1042 (The string_sanitize_url function in core/string_api.php in MantisBT 1. ...) - mantis (bug #780875) [wheezy] - mantis (Minor issue) [squeeze] - mantis (Incomplete fix not applied) NOTE: https://www.mantisbt.org/bugs/view.php?id=17997 NOTE: http://github.com/mantisbt/mantisbt/commit/d95f070d CVE-2015-1031 (Multiple use-after-free vulnerabilities in Privoxy before 3.0.22 allow ...) {DSA-3133-1 DLA-142-1} - privoxy 3.0.21-5 (bug #775167) NOTE: http://www.privoxy.org/announce.txt NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/list.c?view=patch&r1=1.31&r2=1.32&pathrev=v_3_0_22 CVE-2015-1030 (Memory leak in the rfc2553_connect_to function in jbsocket.c in Privox ...) - privoxy 3.0.21-5 (bug #775167) [squeeze] - privoxy (Introduced in 3.0.21) [wheezy] - privoxy (Introduced in 3.0.21) NOTE: http://www.privoxy.org/announce.txt NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/cgisimple.c?view=patch&r1=1.130&r2=1.131&pathrev=v_3_0_22 CVE-2015-1197 (cpio 2.11, when using the --no-absolute-filenames option, allows local ...) - cpio 2.11+dfsg-4.1 (low; bug #774669) [wheezy] - cpio (Minor issue) [squeeze] - cpio (Minor issue) NOTE: Patch used in SUSE: https://bugzilla.suse.com/attachment.cgi?id=599460&action=diff NOTE: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca NOTE: Regression in upstream's handling of patch https://bugs.debian.org/946267 CVE-2015-4469 (The chmd_read_headers function in chmd.c in libmspack before 0.5 does ...) - libmspack 0.4-3 (bug #774726) NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4468 (Multiple integer overflows in the search_chunk function in chmd.c in l ...) - libmspack 0.4-3 (bug #774726) NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4467 (The chmd_init_decomp function in chmd.c in libmspack before 0.5 does n ...) - libmspack 0.4-3 (bug #774725) NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-9275 (ARC 5.21q allows directory traversal via a full pathname in an archive ...) - arc 5.21q-6 (low; bug #774527) [stretch] - arc 5.21q-4+deb9u1 [jessie] - arc (Minor issue) [wheezy] - arc (Minor issue) [squeeze] - arc (Minor issue) CVE-2015-XXXX [saves unknown host's fingerprint in known_hosts without any prompt] - lftp 4.6.1-2 (low; bug #774769) [jessie] - lftp 4.6.0-1+deb8u1 [squeeze] - lftp (Minor issue) [wheezy] - lftp (Minor issue) NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/03/12/10 CVE-2015-0564 (Buffer underflow in the ssl_decrypt_record function in epan/dissectors ...) {DSA-3141-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-3 (bug #776135) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-05.html CVE-2015-0563 (epan/dissectors/packet-smtp.c in the SMTP dissector in Wireshark 1.10. ...) {DLA-198-1} - wireshark 1.12.1+g01b65bf-3 (bug #776135) [squeeze] - wireshark (Only affected 1.10) [wheezy] - wireshark (Only affected 1.10) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-04.html CVE-2015-0562 (Multiple use-after-free vulnerabilities in epan/dissectors/packet-dec- ...) {DSA-3141-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-3 (bug #776135) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-03.html CVE-2015-0561 (asn1/lpp/lpp.cnf in the LPP dissector in Wireshark 1.10.x before 1.10. ...) - wireshark 1.12.1+g01b65bf-3 (bug #776135) [squeeze] - wireshark (Only affected 1.8.9) [wheezy] - wireshark (Only affected 1.8.9) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-02.html CVE-2015-0560 (The dissect_wccp2r1_address_table_info function in epan/dissectors/pac ...) - wireshark 1.12.1+g01b65bf-3 (bug #776135) [squeeze] - wireshark (Only affected 1.10) [wheezy] - wireshark (Only affected 1.10) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-01.html CVE-2015-0559 (Multiple use-after-free vulnerabilities in epan/dissectors/packet-wccp ...) - wireshark 1.12.1+g01b65bf-3 (bug #776135) [squeeze] - wireshark (Only affected 1.10) [wheezy] - wireshark (Only affected 1.10) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-01.html CVE-2015-0558 (The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with ...) NOT-FOR-US: ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router CVE-2015-0555 (Buffer overflow in the XnsSdkDeviceIpInstaller.ocx ActiveX control in ...) NOT-FOR-US: Samsung CVE-2015-0554 (The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with ...) NOT-FOR-US: ADB router CVE-2015-0553 (Cross-site scripting (XSS) vulnerability in admin/pages/modify.php in ...) NOT-FOR-US: WebsiteBaker CVE-2015-1038 (p7zip 9.20.1 allows remote attackers to write to arbitrary files via a ...) {DSA-3289-1 DLA-245-1} - p7zip 9.20.1~dfsg.1-4.2 (bug #774660) NOTE: Upstream bug: http://sourceforge.net/p/p7zip/bugs/147/ CVE-2015-0552 (Directory traversal vulnerability in the gcab_folder_extract function ...) - gcab 0.4-2 (bug #774580) CVE-2015-XXXX [Zoo directory traversal] - zoo (low; bug #774453) [stretch] - zoo (Minor issue) [jessie] - zoo (Minor issue) [wheezy] - zoo (Minor issue) [squeeze] - zoo (Minor issue) NOTE: CVE Request: https://marc.info/?l=oss-security&m=142024361327375&w=2 CVE-2015-0557 (Open-source ARJ archiver 3.10.22 does not properly remove leading slas ...) {DSA-3213-1 DLA-188-1} - arj 3.10.22-13 (low; bug #774435) CVE-2015-0556 (Open-source ARJ archiver 3.10.22 allows remote attackers to conduct di ...) {DSA-3213-1 DLA-188-1} - arj 3.10.22-13 (low; bug #774434) CVE-2015-0551 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum ...) NOT-FOR-US: EMC Documentum WebTop Client CVE-2015-0550 (Directory traversal vulnerability in EMC Documentum Thumbnail Server 6 ...) NOT-FOR-US: EMC Documentum Thumbnail Server CVE-2015-0549 (Cross-site scripting (XSS) vulnerability in EMC Documentum D2 before 4 ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0548 (The D2DownloadService.getDownloadUrls service method in EMC Documentum ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0547 (The D2CenterstageService.getComments service method in EMC Documentum ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0546 (EMC Unified Infrastructure Manager/Provisioning (UIM/P) 4.1 allows rem ...) NOT-FOR-US: EMC Unified Infrastructure Manager/Provisioning CVE-2015-0545 (EMC Unisphere for VMAX 8.x before 8.0.3.4 sets up the Java Debugging W ...) NOT-FOR-US: EMC Unisphere CVE-2015-0544 (EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 d ...) NOT-FOR-US: EMC Secure Remote Services Virtual Edition CVE-2015-0543 (EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 d ...) NOT-FOR-US: EMC Secure Remote Services Virtual Edition CVE-2015-0542 (Multiple cross-site request forgery (CSRF) vulnerabilities in EMC RSA ...) NOT-FOR-US: EMC RSA CVE-2015-0541 (Cross-site request forgery (CSRF) vulnerability in EMC RSA Web Threat ...) NOT-FOR-US: RSA Web Threat Detection CVE-2015-0540 (SQL injection vulnerability in the xAdmin interface in EMC Document Sc ...) NOT-FOR-US: EMC Document Sciences xPression CVE-2015-0539 REJECTED CVE-2015-0538 (ftagent.exe in EMC AutoStart 5.4.x and 5.5.x before 5.5.0.508 HF4 allo ...) NOT-FOR-US: EMC AutoStart CVE-2015-0537 (Integer underflow in the base64-decoding implementation in EMC RSA BSA ...) NOT-FOR-US: EMC RSA CVE-2015-0536 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x b ...) NOT-FOR-US: EMC RSA CVE-2015-0535 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x b ...) NOT-FOR-US: EMC RSA CVE-2015-0534 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x b ...) NOT-FOR-US: EMC RSA CVE-2015-0533 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x b ...) NOT-FOR-US: EMC RSA CVE-2015-0532 (EMC RSA Identity Management and Governance (IMG) 6.9 before P04 and 6. ...) NOT-FOR-US: EMC RSA Identity Management and Governance CVE-2015-0531 (EMC SourceOne Email Management before 7.2 does not have a lockout mech ...) NOT-FOR-US: EMC SourceOne Email Management CVE-2015-0530 (Buffer overflow in an unspecified function in nsr_render_log in EMC Ne ...) NOT-FOR-US: EMC NetWorker CVE-2015-0529 (EMC PowerPath Virtual Appliance (aka vApp) before 2.0 has default pass ...) NOT-FOR-US: EMC PowerPath Virtual Appliance CVE-2015-0528 (The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before 7.0.2.13, 7. ...) NOT-FOR-US: EMC Isilon OneFS CVE-2015-0527 (EMC Documentum xCelerated Management System (xMS) 1.1 before P14 store ...) NOT-FOR-US: EMC CVE-2015-0526 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Validat ...) NOT-FOR-US: EMC RSA Validation Manager CVE-2015-0525 (The Gateway Provisioning service in EMC Secure Remote Services Virtual ...) NOT-FOR-US: EMC CVE-2015-0524 (SQL injection vulnerability in the Gateway Provisioning service in EMC ...) NOT-FOR-US: EMC CVE-2015-0523 (EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registr ...) NOT-FOR-US: RSA CVE-2015-0522 (Cross-site scripting (XSS) vulnerability in EMC RSA Certificate Manage ...) NOT-FOR-US: RSA CVE-2015-0521 (Cross-site scripting (XSS) vulnerability in EMC RSA Certificate Manage ...) NOT-FOR-US: RSA CVE-2015-0520 REJECTED CVE-2015-0519 (The InputAccel Database (IADB) installation process in EMC Captiva Cap ...) NOT-FOR-US: EMC Captiva Capture CVE-2015-0518 (The Properties service in the D2FS web-service component in EMC Docume ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0517 (The D2-API component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0516 (Directory traversal vulnerability in EMC M&R (aka Watch4Net) befor ...) NOT-FOR-US: EMC CVE-2015-0515 (Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) ...) NOT-FOR-US: EMC CVE-2015-0514 (EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 mig ...) NOT-FOR-US: EMC CVE-2015-0513 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: EMC CVE-2015-0512 (Open redirect vulnerability in EMC Unisphere Central before 4.0 allows ...) NOT-FOR-US: EMC CVE-2015-0511 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0510 (Unspecified vulnerability in the Oracle Commerce Platform component in ...) NOT-FOR-US: Oracle CVE-2015-0509 (Unspecified vulnerability in the Oracle Hyperion BI+ component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0508 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0507 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0506 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0505 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 (bug #782645) [jessie] - mysql-5.5 5.5.43-0+deb8u1 - mariadb-10.0 10.0.19-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0504 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-0503 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0502 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0501 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 (bug #782645) [jessie] - mysql-5.5 5.5.43-0+deb8u1 - mariadb-10.0 10.0.19-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0500 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0499 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 (bug #782645) [jessie] - mysql-5.5 5.5.43-0+deb8u1 - mariadb-10.0 10.0.19-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0498 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0497 (Unspecified vulnerability in the PeopleSoft Enterprise Portal Interact ...) NOT-FOR-US: Oracle CVE-2015-0496 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0495 (Unspecified vulnerability in the Oracle Commerce Guided Search / Oracl ...) NOT-FOR-US: Oracle CVE-2015-0494 (Unspecified vulnerability in the Oracle Retail Central Office componen ...) NOT-FOR-US: Oracle CVE-2015-0493 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-0492 (Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and JavaFX ...) - openjdk-7 (JavaFX not part of OpenJDK) - openjdk-8 (JavaFX not part of OpenJDK) CVE-2015-0491 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown CVE-2015-0490 (Unspecified vulnerability in the Oracle Agile Engineering Data Managem ...) NOT-FOR-US: Oracle CVE-2015-0489 (Unspecified vulnerability in the Application Management Pack for Oracl ...) NOT-FOR-US: Oracle CVE-2015-0488 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/04cda5b7a3c1 CVE-2015-0487 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0486 (Unspecified vulnerability in Oracle Java SE 8u40 allows remote attacke ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-0485 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Strategic S ...) NOT-FOR-US: Oracle CVE-2015-0484 (Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and Java FX ...) - openjdk-7 (JavaFX not part of OpenJDK) - openjdk-8 (JavaFX not part of OpenJDK) CVE-2015-0483 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2015-0482 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2015-0481 REJECTED CVE-2015-0480 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-8 8u45-b14-1 - openjdk-7 7u79-2.5.5-1 (bug #774953) - openjdk-6 6b35-1.13.7-1 NOTE: https://www.openwall.com/lists/oss-security/2015/01/16/2 CVE-2015-0479 (Unspecified vulnerability in the XDK and XDB - XML Database component ...) NOT-FOR-US: Oracle CVE-2015-0478 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0477 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0476 (Unspecified vulnerability in the SQL Trace Analyzer component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-0475 (Unspecified vulnerability in the JD Edwards EnterpriseOne Technology c ...) NOT-FOR-US: Oracle CVE-2015-0474 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-0473 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-0472 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0471 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle CVE-2015-0470 (Unspecified vulnerability in Oracle Java SE 8u40 allows remote attacke ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0469 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0468 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2015-0467 (Unspecified vulnerability in the PeopleSoft Enterprise HCM Talent Acqu ...) NOT-FOR-US: PeopleSoft CVE-2015-0466 (Unspecified vulnerability in the Oracle Retail Back Office component i ...) NOT-FOR-US: Oracle CVE-2015-0465 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0464 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0463 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0462 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0461 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-0460 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0459 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown CVE-2015-0458 (Unspecified vulnerability in in Oracle Java SE 6u91, 7u76, and 8u40 al ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-0457 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2015-0456 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle CVE-2015-0455 (Unspecified vulnerability in the XDB - XML Database component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-0454 REJECTED CVE-2015-0453 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0452 (Unspecified vulnerability in the Oracle VM Server for SPARC component ...) NOT-FOR-US: Oracle CVE-2015-0451 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fu ...) NOT-FOR-US: Oracle CVE-2015-0450 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle CVE-2015-0449 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2015-0448 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle CVE-2015-0447 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle CVE-2015-0446 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-0445 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-0444 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-0443 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-0442 REJECTED CVE-2015-0441 (Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, a ...) {DSA-3311-1 DSA-3229-1} - mysql-5.5 5.5.42-1 - mariadb-10.0 10.0.17-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0440 (Unspecified vulnerability in the Oracle Knowledge component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0439 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0438 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0437 (Unspecified vulnerability in Oracle Java SE 8u25 allows remote attacke ...) - openjdk-8 8u40~b22-1 CVE-2015-0436 (Unspecified vulnerability in the Oracle iLearning component in Oracle ...) NOT-FOR-US: Oracle iLearning CVE-2015-0435 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0434 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-0433 (Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, a ...) {DSA-3311-1 DSA-3229-1} - mysql-5.5 5.5.42-1 - mariadb-10.0 10.0.17-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0432 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier al ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0431 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0430 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0429 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0428 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0427 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 4.3.18-dfsg-2 (bug #775888) [wheezy] - virtualbox (Introduced in 4.3) - virtualbox-ose (Introduced in 4.3) CVE-2015-0426 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-0425 (Unspecified vulnerability in the Oracle Enterprise Asset Management co ...) NOT-FOR-US: Oracle CVE-2015-0424 (Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) ...) NOT-FOR-US: Oracle Sun Systems Products Suite ILOM CVE-2015-0423 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0422 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2015-0421 (Unspecified vulnerability in Oracle Java SE 8u25 allows local users to ...) - openjdk-8 8u40~b22-1 CVE-2015-0420 (Unspecified vulnerability in the Oracle Forms component in Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2015-0419 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0418 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3143-1 DLA-268-1} - virtualbox 4.3.2-dfsg-1 (low; bug #775888) - virtualbox-ose (low) NOTE: This only affects releases < 4.3, so marking the first 4.3 upload as the fixed version NOTE: Upstream patches in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775888#30 CVE-2015-0417 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0416 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0415 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-0414 (Unspecified vulnerability in the Oracle SOA Suite component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0413 (Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local ...) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown CVE-2015-0412 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0411 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, a ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0410 (Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit co ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0409 (Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier al ...) - mysql-5.5 (Only MySQL 5.6) - mariadb-10.0 (Vulnerable code not present, see https://bugs.debian.org/775882#39) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL NOTE: For mariadb-10.0 not clear if affected CVE-2015-0408 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0407 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0406 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-0405 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0404 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2015-0403 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-0402 (Unspecified vulnerability in the Siebel Core - Server BizLogic Script ...) NOT-FOR-US: Oracle CVE-2015-0401 (Unspecified vulnerability in the Oracle Directory Server Enterprise Ed ...) NOT-FOR-US: Oracle CVE-2015-0400 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) - openjdk-6 (This only affects Java on Windows) - openjdk-7 (This only affects Java on Windows) - openjdk-8 (This only affects Java on Windows) CVE-2015-0399 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle CVE-2015-0398 (Unspecified vulnerability in the Siebel Life Sciences component in Ora ...) NOT-FOR-US: Oracle CVE-2015-0397 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0396 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2015-0395 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0394 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0393 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle CVE-2015-0392 (Unspecified vulnerability in the Siebel Core - Server BizLogic Script ...) NOT-FOR-US: Oracle CVE-2015-0391 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, a ...) - mysql-5.5 5.5.39-1 [wheezy] - mysql-5.5 5.5.40-0+wheezy1 - mariadb-10.0 10.0.14-2 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0390 (Unspecified vulnerability in the MICROS Retail component in Oracle Ret ...) NOT-FOR-US: Oracle CVE-2015-0389 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fu ...) NOT-FOR-US: Oracle CVE-2015-0388 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0387 (Unspecified vulnerability in the Siebel Core - Server OM Services comp ...) NOT-FOR-US: Oracle CVE-2015-0386 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-0385 (Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier al ...) - mysql-5.5 (Only MySQL 5.6) - mariadb-10.0 (Vulnerable code not present, see https://bugs.debian.org/775882#39) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL NOTE: For mariadb-10.0 not clear if affected CVE-2015-0384 (Unspecified vulnerability in the Siebel Public Sector component in Ora ...) NOT-FOR-US: Oracle CVE-2015-0383 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 (bug #761683) - openjdk-8 8u40~b22-1 CVE-2015-0382 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier an ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0381 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier an ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0380 (Unspecified vulnerability in the Oracle Telecommunications Billing Int ...) NOT-FOR-US: Oracle CVE-2015-0379 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0378 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0377 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3143-1 DLA-268-1} - virtualbox 4.3.2-dfsg-1 (bug #775888) - virtualbox-ose NOTE: According to http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html the 4.3 NOTE: series is not affected, so marking the first 4.3 upload as fixed NOTE: Upstream patches in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775888#30 CVE-2015-0376 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle CVE-2015-0375 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remot ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0374 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier an ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0373 (Unspecified vulnerability in the OJVM component in Oracle Database Ser ...) NOT-FOR-US: Oracle CVE-2015-0372 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle CVE-2015-0371 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2015-0370 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2015-0369 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0368 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0367 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-0366 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0365 (Unspecified vulnerability in the Siebel Core - Server Infrastructure c ...) NOT-FOR-US: Oracle CVE-2015-0364 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0363 (Unspecified vulnerability in the Siebel Core EAI component in Oracle S ...) NOT-FOR-US: Oracle CVE-2015-0362 (Unspecified vulnerability in the BI Publisher (formerly XML Publisher) ...) NOT-FOR-US: Oracle CVE-2015-0361 (Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows rem ...) - xen 4.4.1-7 (bug #776319) [wheezy] - xen (Only affects 4.2 and later) [squeeze] - xen (Only affects 4.2 and later) CVE-2015-0360 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0359 (Double free vulnerability in Adobe Flash Player before 13.0.0.281 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0358 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0357 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0356 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0355 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0354 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0353 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0352 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0351 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0350 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0349 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0348 (Buffer overflow in Adobe Flash Player before 13.0.0.281 and 14.x throu ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0347 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0346 (Double free vulnerability in Adobe Flash Player before 13.0.0.281 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0345 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before ...) NOT-FOR-US: Adobe ColdFusion CVE-2015-0344 (Cross-site scripting (XSS) vulnerability in the web app in Adobe Conne ...) NOT-FOR-US: Adobe CVE-2015-0343 (Cross-site scripting (XSS) vulnerability in admin/home/homepage/search ...) NOT-FOR-US: Adobe CVE-2015-0342 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.277 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0341 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.277 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0340 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0339 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0338 (Integer overflow in Adobe Flash Player before 13.0.0.277 and 14.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0337 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0336 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0335 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0334 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0333 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0332 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0331 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0330 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0329 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0328 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0327 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0326 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0325 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0324 (Buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x throu ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0323 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0322 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0321 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0320 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0319 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0318 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0317 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0316 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0315 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0314 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0313 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0312 (Double free vulnerability in Adobe Flash Player before 13.0.0.264 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0311 (Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0310 (Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0309 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0308 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.260 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0307 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0306 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0305 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0304 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0303 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0302 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0301 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0300 REJECTED CVE-2015-0299 (Multiple cross-site scripting (XSS) vulnerabilities in Open Source Poi ...) NOT-FOR-US: Open Source Point of Sale CVE-2015-0298 (Cross-site scripting (XSS) vulnerability in the manager web interface ...) - libapache2-mod-cluster (bug #731410) CVE-2015-0297 (Red Hat JBoss Operations Network 3.3.1 does not properly restrict acce ...) NOT-FOR-US: RHQ CVE-2015-0296 (The pre-install script in texlive 3.1.20140525_r34255.fc21 as packaged ...) - texlive-base (Specific to Red Hat packaging/postinst) CVE-2015-0295 (The BMP decoder in QtGui in QT before 5.5 does not properly calculate ...) {DLA-210-1} - qt4-x11 4:4.8.6+git64-g5dc8b2b+dfsg-3 (bug #779550) [wheezy] - qt4-x11 (Minor issue) [experimental] - qtbase-opensource-src 5.4.1+dfsg-2 - qtbase-opensource-src 5.3.2+dfsg-5 (bug #779580) [jessie] - qtbase-opensource-src 5.3.2+dfsg-4+deb8u1 NOTE: http://lists.qt-project.org/pipermail/announce/2015-February/000059.html CVE-2015-0294 (GnuTLS before 3.3.13 does not validate that the signature algorithms m ...) {DSA-3191-1 DLA-180-1} - gnutls26 [experimental] - gnutls28 3.3.13-1 - gnutls28 3.3.8-6 (bug #779428) NOTE: https://gitlab.com/gnutls/gnutls/commit/6e76e9b9fa845b76b0b9a45f05f4b54a052578ff (gnutls_3_3_13) CVE-2015-0293 (The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0 ...) {DLA-177-1} - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support CVE-2015-0292 (Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encod ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1h-1 CVE-2015-0291 (The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a ...) - openssl (Only affects 1.0.2, only in experimental) CVE-2015-0290 (The multi-block feature in the ssl3_write_bytes function in s3_pkt.c i ...) - openssl (Only affects 1.0.2, only in experimental) CVE-2015-0289 (The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0. ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 CVE-2015-0288 (The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL bef ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=28a00bcd8e318da18031b2ac8778c64147cd54f9 CVE-2015-0287 (The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL bef ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 CVE-2015-0286 (The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0 ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 CVE-2015-0285 (The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1. ...) - openssl (Only affects 1.0.2, only in experimental) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0284 (Cross-site scripting (XSS) vulnerability in spacewalk-java in Spacewal ...) NOT-FOR-US: Red Hat Satellite CVE-2015-0283 (The slapi-nis plug-in before 0.54.2 does not properly reallocate memor ...) - slapi-nis 0.54.2-1 (bug #781346) CVE-2015-0282 (GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature alg ...) {DSA-3191-1 DLA-180-1} - gnutls26 - gnutls28 (Fixed in 3.1.0) NOTE: http://www.gnutls.org/security.html#GNUTLS-SA-2015-1 CVE-2015-0281 RESERVED CVE-2015-0280 RESERVED CVE-2015-0279 (JBoss RichFaces before 4.5.4 allows remote attackers to inject express ...) NOT-FOR-US: RichFaces CVE-2015-0278 (libuv before 0.10.34 does not properly drop group privileges, which al ...) - libuv 0.10.28-6 (bug #779173) NOTE: https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c NOTE: https://github.com/libuv/libuv/pull/215 CVE-2015-0277 (The Service Provider (SP) in PicketLink before 2.7.0 does not ensure t ...) NOT-FOR-US: PicketLink CVE-2015-0276 (Cross-site request forgery (CSRF) vulnerability in Kallithea before 0. ...) - kallithea (bug #689573) CVE-2015-0275 (The ext4_zero_range function in fs/ext4/extents.c in the Linux kernel ...) - linux 3.16.7-ckt9-1 [wheezy] - linux (Introduced in v3.15) - linux-2.6 (Introduced in v3.15) NOTE: Proposed upstream patch: http://www.spinics.net/lists/linux-ext4/msg47193.html CVE-2015-0274 (The XFS implementation in the Linux kernel before 3.15 improperly uses ...) - linux 3.11.5-1 [wheezy] - linux (Introduced in v3.11-rc1) - linux-2.6 (Introduced in v3.11-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8275cdd0e7ac550dcce2b3ef6d2fb3b808c1ae59 (v3.15-rc5) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e461fcb194172b3f709e0b478d2ac1bdac7ab9a3 (v3.11-rc1) CVE-2015-0273 (Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP ...) {DSA-3195-1} - php5 5.6.6+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68942 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=c377f1a715476934133f3254d1e0d4bf3743e2d2 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=71335e6ebabc1b12c057d8017fd811892ecdfd24 CVE-2015-0272 (GNOME NetworkManager allows remote attackers to cause a denial of serv ...) - network-manager 1.0.4-1 [jessie] - network-manager (Will be fixed on the kernel side) [wheezy] - network-manager (code introduced in 0.9.10) [squeeze] - network-manager (code introduced in 0.9.10) NOTE: Commit for NetworkManager: http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=d5fc88e573fa58b93034b04d35a2454f5d28cad9 (1.2-beta1) NOTE: Issue introduced in 0.9.10 with http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=7d5779300450bc2602ba4f7f472ebfa58bea3571 CVE-2015-0271 (The log-viewing function in the Red Hat redhat-access-plugin before 6. ...) - horizon (RedHat-specific plugin) CVE-2015-0270 (Zend Framework before 2.2.10 and 2.3.x before 2.3.5 has Potential SQL ...) - zendframework (the vulnerability was introduced in the 2 series) - php-zend-db (Fixed before initial upload to the archive) NOTE: http://framework.zend.com/security/advisory/ZF2015-02 CVE-2015-0269 (Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x b ...) NOT-FOR-US: Contao CVE-2015-0268 (The vgic_v2_to_sgi function in arch/arm/vgic-v2.c in Xen 4.5.x, when r ...) - xen (Only affects 4.5) NOTE: http://xenbits.xen.org/xsa/advisory-117.html CVE-2015-0267 (The Red Hat module-setup.sh script for kexec-tools, as distributed in ...) - kexec-tools (Vulnerable script not present in the Debian package) CVE-2015-0266 (The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote auth ...) NOT-FOR-US: Apache Ranger CVE-2015-0265 (Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in A ...) NOT-FOR-US: Apache Ranger CVE-2015-0264 (Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPat ...) NOT-FOR-US: Apache Camel CVE-2015-0263 (XML external entity (XXE) vulnerability in the XML converter setup in ...) NOT-FOR-US: Apache Camel CVE-2015-0262 REJECTED CVE-2015-0261 (Integer signedness error in the mobility_opt_print function in the IPv ...) {DSA-3193-1 DLA-174-1} - tcpdump 4.6.2-4 NOTE: http://www.ca.tcpdump.org/cve/0003-test-case-for-cve2015-0261-corrupted-IPv6-mobility-h.patch CVE-2015-0260 (RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated u ...) - kallithea (bug #753975) CVE-2015-0259 (OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, an ...) - nova 2014.1.3-11 (bug #780250) [wheezy] - nova (Vulnerable code not present) CVE-2015-0258 (Multiple incomplete blacklist vulnerabilities in the avatar upload fun ...) {DLA-2125-1} - collabtive NOTE: https://github.com/philippK-de/Collabtive/commit/9ce6301583669d0a8ecb4d23fb56e34b68511335 CVE-2015-0257 (Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses wea ...) NOT-FOR-US: ovirt / RHEV CVE-2015-0256 RESERVED CVE-2015-0255 (X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x be ...) {DSA-3160-1 DLA-218-1} - xorg-server 2:1.16.4-1 CVE-2015-0254 (Apache Standard Taglibs before 1.2.3 allows remote attackers to execut ...) - jakarta-taglibs-standard 1.1.2-3 (bug #779621) [wheezy] - jakarta-taglibs-standard (Minor issue) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=57560 CVE-2015-0253 (The read_request_line function in server/protocol.c in the Apache HTTP ...) - apache2 (Vulnerable version 2.4.11 never in Debian) CVE-2015-0252 (internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote a ...) {DSA-3199-1 DLA-181-1} - xerces-c 3.1.1-5.1 (bug #780827) NOTE: http://svn.apache.org/viewvc?view=revision&revision=1667870 CVE-2015-0251 (The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 th ...) {DSA-3231-1 DLA-207-1} - subversion 1.8.10-6 NOTE: https://subversion.apache.org/security/CVE-2015-0251-advisory.txt CVE-2015-0250 (XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) ...) {DSA-3205-1 DLA-182-1} - batik 1.7+dfsg-5 (bug #780897) NOTE: https://issues.apache.org/jira/browse/BATIK-1018 NOTE: https://issues.apache.org/jira/browse/BATIK-1113 NOTE: Commit disabling external xml entities: https://svn.apache.org/viewvc/xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java?r1=662304&r2=1664335&diff_format=h NOTE: PoC: https://www.ernw.de/download/xxe_batik.tar.xz CVE-2015-0249 (The weblog page template in Apache Roller 5.1 through 5.1.1 allows rem ...) NOT-FOR-US: Apache Roller CVE-2015-0248 (The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 throu ...) {DSA-3231-1 DLA-207-1} - subversion 1.8.10-6 NOTE: https://subversion.apache.org/security/CVE-2015-0248-advisory.txt CVE-2015-0247 (Heap-based buffer overflow in openfs.c in the libext2fs library in e2f ...) {DSA-3166-1 DLA-153-1} - e2fsprogs 1.42.12-1 NOTE: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4 CVE-2015-0246 REJECTED CVE-2015-0245 (D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9. ...) {DSA-3161-1} - dbus 1.8.16-1 (bug #777545) [squeeze] - dbus (affects 1.4 and above) CVE-2015-0244 (PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9. ...) {DSA-3155-1 DLA-152-1} - postgresql-9.4 9.4.1-1 - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) CVE-2015-0243 (Multiple buffer overflows in contrib/pgcrypto in PostgreSQL before 9.0 ...) {DSA-3155-1 DLA-152-1} - postgresql-9.4 9.4.1-1 - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) CVE-2015-0242 (Stack-based buffer overflow in the *printf function implementations in ...) - postgresql-9.4 (Only affects PostgreSQL on Windows) - postgresql-9.1 (Only affects PostgreSQL on Windows) CVE-2015-0241 (The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, ...) {DSA-3155-1 DLA-152-1} - postgresql-9.4 9.4.1-1 - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) CVE-2015-0240 (The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x be ...) {DSA-3171-1 DLA-156-1} - samba 2:4.1.17+dfsg-1 (bug #779033) - samba4 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: Server components removed from src:samba4 in 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: https://www.samba.org/samba/security/CVE-2015-0240 CVE-2015-0239 (The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel ...) {DSA-3170-1} - linux 3.16.7-ckt4-2 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8c60435261deaefeb53ce3222d04d7d5bea81296 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f3747379accba8e95d70cec0eae0582c8c182050 NOTE: http://permalink.gmane.org/gmane.linux.kernel.commits.head/502245 CVE-2015-0238 (selinux-policy as packaged in Red Hat OpenShift 2 allows attackers to ...) NOT-FOR-US: selinux-policy as shipped with Red Hat OpenShift 2 CVE-2015-0237 (Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores ...) NOT-FOR-US: Red Hat vdms CVE-2015-0236 (libvirt before 1.2.12 allow remote authenticated users to obtain the V ...) - libvirt 1.2.9-8 (bug #776065) [wheezy] - libvirt (Vulnerable code introduced in v1.1.0-rc1) [squeeze] - libvirt (Vulnerable code introduced in v1.1.0-rc1) NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=03c3c0c874c84dfa51ef17556062b095c6e1c0a3 NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=b347c0c2a321ec5c20aae214927949832a288c5a NOTE: Introduced by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=e341435e5090677c67a0d3d4ca0393102054841f (v1.1.0-rc1) NOTE: http://security.libvirt.org/2015/0001.html CVE-2015-0235 (Heap-based buffer overflow in the __nss_hostname_digits_dots function ...) {DSA-3142-1 DLA-139-1} - eglibc (high; bug #776391) - glibc 2.18-1 (high) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=15014 CVE-2015-0234 (Multiple temporary file creation vulnerabilities in pki-core 10.2.0. ...) - dogtag-pki (unimportant) NOTE: Rendered unexploitable by /tmp hardening in Debian kernel CVE-2015-0233 (Multiple insecure Temporary File vulnerabilities in 389 Administration ...) - 389-admin 1.1.38-1 (unimportant) NOTE: Rendered unexploitable by /tmp hardening in Debian kernel CVE-2015-0232 (The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4 ...) {DSA-3195-1 DLA-212-1} - php5 5.6.5+dfsg-1 NOTE: https://bugs.php.net/patch-display.php?bug=68799&patch=bug68799fix&revision=1420966468 NOTE: https://bugs.php.net/bug.php?id=68799 CVE-2015-0231 (Use-after-free vulnerability in the process_nested_data function in ex ...) {DSA-3195-1} - php5 5.6.5+dfsg-1 [squeeze] - php5 (Broken patch for CVE-2014-8142 never applied) NOTE: https://bugs.php.net/bug.php?id=68710 NOTE: Upstream fix: https://github.com/php/php-src/commit/b585a3aed7880a5fa5c18e2b838fc96f40e075bd NOTE: in unstable actually incomplete fix was not yet applied, so n/a but wheezy is CVE-2015-0230 REJECTED CVE-2015-0229 REJECTED CVE-2015-0228 (The lua_websocket_read function in lua_request.c in the mod_lua module ...) - apache2 2.4.10-10 (low) [wheezy] - apache2 (no mod_lua in 2.2) [squeeze] - apache2 (no mod_lua in 2.2) NOTE: https://github.com/apache/httpd/commit/643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef CVE-2015-0227 (Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attacker ...) - wss4j 1.6.15-2 (bug #777741) [wheezy] - wss4j (Vulnerable code not present) [squeeze] - wss4j (Vulnerable code not present) CVE-2015-0226 (Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks inf ...) - wss4j 1.6.15-2 (bug #777741) [wheezy] - wss4j (Vulnerable code not present) [squeeze] - wss4j (Vulnerable code not present) CVE-2015-0225 (The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2. ...) - cassandra (bug #585905) CVE-2015-0224 (qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause ...) - qpid-cpp (Incomplete fix for CVE-2015-0203 not applied) NOTE: CVE is for incomplete fix for CVE-2015-0203, which is not fixed in Debian NOTE: https://issues.apache.org/jira/browse/QPID-6310 CVE-2015-0223 (Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remot ...) - qpid-cpp (bug #772794) [wheezy] - qpid-cpp (Minor issue) NOTE: https://issues.apache.org/jira/browse/QPID-6325 CVE-2015-0222 (ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x befor ...) - python-django 1.7.1-1.1 (bug #775375) [wheezy] - python-django (1.4.x not affected) [squeeze] - python-django (1.2.x not affected) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0221 (The django.views.static.serve view in Django before 1.4.18, 1.6.x befo ...) {DSA-3151-1 DLA-143-1} - python-django 1.7.1-1.1 (bug #775375) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0220 (The django.util.http.is_safe_url function in Django before 1.4.18, 1.6 ...) {DSA-3151-1 DLA-143-1} - python-django 1.7.1-1.1 (bug #775375) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0219 (Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allo ...) {DSA-3151-1 DLA-143-1} - python-django 1.7.1-1.1 (bug #775375) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0218 (Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/log ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278618#p1196684 CVE-2015-0217 (filter/mediaplugin/filter.php in Moodle through 2.5.9, 2.6.x before 2. ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278617#p1196683 CVE-2015-0216 (access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not ...) - moodle (Only affects 2.8.x) NOTE: https://moodle.org/mod/forum/discuss.php?d=278616#p1196682 CVE-2015-0215 (calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278615#p1196681 CVE-2015-0214 (message/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2 ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278614#p1196680 CVE-2015-0213 (Multiple cross-site request forgery (CSRF) vulnerabilities in (1) edit ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278613#p1196679 CVE-2015-0212 (Cross-site scripting (XSS) vulnerability in course/pending.php in Mood ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278612#p1196678 CVE-2015-0211 (mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x be ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278611#p1196676 CVE-2015-0210 (wpa_supplicant 2.0-16 does not properly check certificate subject name ...) NOTE: likely to be REJECTed NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0210 CVE-2015-0209 (Use-after-free vulnerability in the d2i_ECPrivateKey function in crypt ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a CVE-2015-0208 (The ASN.1 signature-verification implementation in the rsa_item_verify ...) - openssl (Only affects 1.0.2, only in experimental) CVE-2015-0207 (The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a d ...) - openssl (Only affects 1.0.2, only in experimental) CVE-2015-0206 (Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL ...) {DSA-3125-1} - openssl 1.0.1k-1 [squeeze] - openssl (Affects 1.0.1 and 1.0.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=04685bc949e90a877656cf5020b6d4f90a9636a6 CVE-2015-0205 (The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before ...) {DSA-3125-1} - openssl 1.0.1k-1 [squeeze] - openssl (Only affects 1.0.1 and 1.0.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=98a0f9660d374f58f79ee0efcc8c1672a805e8e8 CVE-2015-0204 (The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9. ...) {DSA-3125-1 DLA-132-1} - openssl 1.0.1k-1 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=37580f43b5a39f5f4e920d17273fab9713d3a744 CVE-2015-0203 (The qpidd broker in Apache Qpid 0.30 and earlier allows remote authent ...) - qpid-cpp (bug #775359) [wheezy] - qpid-cpp (Minor issue) CVE-2015-0202 (The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remot ...) - subversion 1.8.10-6 [wheezy] - subversion (Vulnerability introduced with 1.8.0) [squeeze] - subversion (Vulnerability introduced with 1.8.0) NOTE: https://subversion.apache.org/security/CVE-2015-0202-advisory.txt CVE-2015-0201 (The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 ...) - libspring-java (Only affects Spring Framework 4.1.0 to 4.1.4) CVE-2015-0200 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x before 7.0.0.8 IF2 ...) NOT-FOR-US: IBM WebSphere CVE-2015-0199 (The mmfslinux kernel module in IBM General Parallel File System (GPFS) ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-0198 (IBM General Parallel File System (GPFS) 3.4 before 3.4.0.32, 3.5 befor ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-0197 (IBM General Parallel File System (GPFS) 3.4 before 3.4.0.32, 3.5 befor ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-0196 (CRLF injection vulnerability in IBM WebSphere Commerce 6.0 through 6.0 ...) NOT-FOR-US: IBM CVE-2015-0195 (Cross-site scripting (XSS) vulnerability in IBM Content Template Catal ...) NOT-FOR-US: IBM CVE-2015-0194 (XML External Entity (XXE) vulnerability in IBM Sterling B2B Integrator ...) NOT-FOR-US: IBM CVE-2015-0193 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0192 (Unspecified vulnerability in IBM Java 8 before SR1, 7 R1 before SR2 FP ...) NOT-FOR-US: IBM JDK CVE-2015-0191 REJECTED CVE-2015-0190 RESERVED CVE-2015-0189 (The cluster repository manager in IBM WebSphere MQ 7.5 before 7.5.0.5 ...) NOT-FOR-US: IBM CVE-2015-0188 RESERVED CVE-2015-0187 RESERVED CVE-2015-0186 RESERVED CVE-2015-0185 RESERVED CVE-2015-0184 RESERVED CVE-2015-0183 RESERVED CVE-2015-0182 RESERVED CVE-2015-0181 RESERVED CVE-2015-0180 (The Connector Migration Tool in IBM InfoSphere Information Server 8.1 ...) NOT-FOR-US: IBM CVE-2015-0179 (Notes System Diagnostic (NSD) in IBM Domino 8.5.x before 8.5.3 FP6 IF6 ...) NOT-FOR-US: IBM Domino CVE-2015-0178 (The Java overlay feature in IBM Bluemix Liberty before 1.13-20150209-1 ...) NOT-FOR-US: IBM Bluemix Liberty CVE-2015-0177 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-0176 (Cross-site scripting (XSS) vulnerability in MQ XR WebSockets Listener ...) NOT-FOR-US: IBM WebSphere MQ CVE-2015-0175 (IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-0174 (The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-0173 (The HTTP connection-management functionality in Internet Pass-Thru (IP ...) NOT-FOR-US: IBM CVE-2015-0172 (IBM Security SiteProtector System 3.0, 3.1.0 and 3.1.1 allows remote a ...) NOT-FOR-US: IBM Security SiteProtector System CVE-2015-0171 (Directory traversal vulnerability in IBM Security SiteProtector System ...) NOT-FOR-US: IBM CVE-2015-0170 (IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0 ...) NOT-FOR-US: IBM CVE-2015-0169 (IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0 ...) NOT-FOR-US: IBM CVE-2015-0168 (Cross-site scripting (XSS) vulnerability in IBM Security SiteProtector ...) NOT-FOR-US: IBM CVE-2015-0167 (Cross-site scripting (XSS) vulnerability in textAngular-sanitize.js in ...) NOT-FOR-US: textAngular CVE-2015-0166 REJECTED CVE-2015-0165 REJECTED CVE-2015-0164 REJECTED CVE-2015-0163 REJECTED CVE-2015-0162 (IBM Security SiteProtector System 3.0, 3.1, and 3.1.1 allows local use ...) NOT-FOR-US: IBM CVE-2015-0161 (SQL injection vulnerability in IBM Security SiteProtector System 3.0 b ...) NOT-FOR-US: IBM CVE-2015-0160 (IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0 ...) NOT-FOR-US: IBM CVE-2015-0159 REJECTED CVE-2015-0158 (Cross-site scripting (XSS) vulnerability in the Coach NG framework in ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0157 (IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 t ...) NOT-FOR-US: IBM DB2 CVE-2015-0156 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM CVE-2015-0155 REJECTED CVE-2015-0154 REJECTED CVE-2015-0153 (D-Link DIR-815 devices with firmware before 2.07.B01 allow remote atta ...) NOT-FOR-US: D-Link CVE-2015-0152 (D-Link DIR-815 devices with firmware before 2.07.B01 allow remote atta ...) NOT-FOR-US: D-Link CVE-2015-0151 (Cross-site request forgery (CSRF) vulnerability in D-Link DIR-815 devi ...) NOT-FOR-US: D-Link CVE-2015-0150 (The remote administration UI in D-Link DIR-815 devices with firmware b ...) NOT-FOR-US: D-Link CVE-2015-0149 (The developer portal in IBM API Management 3.0 before 3.0.4.1 does not ...) NOT-FOR-US: IBM API Management CVE-2015-0148 RESERVED CVE-2015-0147 RESERVED CVE-2015-0146 (IBM Content Collector for Email 3.0 before 3.0.0.6-IBM-ICC-Server-IF00 ...) NOT-FOR-US: IBM Content Collector CVE-2015-0145 (Cross-site request forgery (CSRF) vulnerability in IBM OpenPages GRC P ...) NOT-FOR-US: IBM CVE-2015-0144 (Cross-site scripting (XSS) vulnerability in IBM OpenPages GRC Platform ...) NOT-FOR-US: IBM CVE-2015-0143 (IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7 ...) NOT-FOR-US: IBM CVE-2015-0142 (IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7 ...) NOT-FOR-US: IBM CVE-2015-0141 (IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7 ...) NOT-FOR-US: IBM CVE-2015-0140 (An unspecified ActiveX control in IBM SPSS Statistics 22.0 through FP1 ...) NOT-FOR-US: IBM CVE-2015-0139 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-0138 (GSKit in IBM Tivoli Directory Server (ITDS) 6.0 before 6.0.0.73-ISS-IT ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2015-0137 (IBM PowerVC Standard 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 v ...) NOT-FOR-US: IBM PowerVC CVE-2015-0136 (powervc-iso-import in IBM PowerVC 1.2.0.x before 1.2.0.4 and 1.2.1.x b ...) NOT-FOR-US: IBM PowerVC CVE-2015-0135 (IBM Domino 8.5 before 8.5.3 FP6 IF4 and 9.0 before 9.0.1 FP3 IF2 allow ...) NOT-FOR-US: IBM Domino CVE-2015-0134 (Buffer overflow in the SSLv2 implementation in IBM Domino 8.5.x before ...) NOT-FOR-US: IBM CVE-2015-0133 (IBM WebSphere Commerce 7.0 Feature Pack 4 through 8 allows remote atta ...) NOT-FOR-US: IBM CVE-2015-0132 (The XML parser in IBM Rational DOORS Next Generation 4.x before 4.0.7 ...) NOT-FOR-US: IBM CVE-2015-0131 (Cross-site scripting (XSS) vulnerability in IBM Leads 7.x, 8.1.0 befor ...) NOT-FOR-US: IBM CVE-2015-0130 (Cross-site scripting (XSS) vulnerability in Jazz Team Server in Jazz F ...) NOT-FOR-US: IBM CVE-2015-0129 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manag ...) NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0128 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manag ...) NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0127 (IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6 ...) NOT-FOR-US: IBM CVE-2015-0126 (IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6 ...) NOT-FOR-US: IBM CVE-2015-0125 (Cross-site scripting (XSS) vulnerability in IBM Rational DOORS Next Ge ...) NOT-FOR-US: IBM Rational DOORS Next Generation CVE-2015-0124 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manag ...) NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0123 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) NOT-FOR-US: IBM Rational Team Concert CVE-2015-0122 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) NOT-FOR-US: IBM Rational Team Concert CVE-2015-0121 (IBM Rational Requirements Composer 3.0 through 3.0.1.6 and 4.0 through ...) NOT-FOR-US: IBM CVE-2015-0120 (Buffer overflow in the FastBackMount process in IBM Tivoli Storage Man ...) NOT-FOR-US: IBM CVE-2015-0119 (FastBack Mount in IBM Tivoli Storage Manager FastBack 6.1.x before 6.1 ...) NOT-FOR-US: IBM Tivoli Storage Manager FastBack CVE-2015-0118 (IBM WebSphere Message Broker Toolkit 7 before 7007 IF2 and 8 before 80 ...) NOT-FOR-US: IBM CVE-2015-0117 (The LDAP Server in IBM Domino 8.5.x before 8.5.3 FP6 IF6 and 9.x befor ...) NOT-FOR-US: IBM Domino CVE-2015-0116 (IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6 ...) NOT-FOR-US: IBM CVE-2015-0115 (Cross-site request forgery (CSRF) vulnerability in IBM Leads 7.x, 8.1. ...) NOT-FOR-US: IBM CVE-2015-0114 (Stack-based buffer overflow in IBM V5R4, and IBM i Access for Windows ...) NOT-FOR-US: IBM CVE-2015-0113 (The Jazz help system in IBM Rational Collaborative Lifecycle Managemen ...) NOT-FOR-US: IBM Rational Collaborative Lifecycle Management CVE-2015-0112 (Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Life ...) NOT-FOR-US: IBM Rational CVE-2015-0111 RESERVED CVE-2015-0110 (IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and Web ...) NOT-FOR-US: IBM CVE-2015-0109 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2015-0108 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2015-0107 (IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, ...) NOT-FOR-US: IBM CVE-2015-0106 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0105 (Cross-site scripting (XSS) vulnerability in the Process Portal in IBM ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0104 (IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, ...) NOT-FOR-US: IBM CVE-2015-0103 (Multiple cross-site scripting (XSS) vulnerabilities in the Process Por ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0102 (IBM Workflow for Bluemix does not set the secure flag for the session ...) NOT-FOR-US: IBM CVE-2015-0101 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM CVE-2015-0100 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0099 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0098 (Task Scheduler in Microsoft Windows 7 SP1 and Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft Windows CVE-2015-0097 (Microsoft Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Excel 20 ...) NOT-FOR-US: Microsoft CVE-2015-0096 (Untrusted search path vulnerability in Microsoft Windows Server 2003 S ...) NOT-FOR-US: Microsoft CVE-2015-0095 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2015-0094 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2015-0093 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0092 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0091 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0090 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0089 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0088 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0087 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0086 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 Gol ...) NOT-FOR-US: Microsoft CVE-2015-0085 (Use-after-free vulnerability in Microsoft Office 2007 SP3, Excel 2007 ...) NOT-FOR-US: Microsoft CVE-2015-0084 (The Task Scheduler in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2015-0083 REJECTED CVE-2015-0082 REJECTED CVE-2015-0081 (Windows Text Services (WTS) in Microsoft Windows Server 2003 SP2, Wind ...) NOT-FOR-US: Microsoft CVE-2015-0080 (Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2015-0079 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2015-0078 (win32k.sys in the kernel-mode drivers in Microsoft Windows 8, Windows ...) NOT-FOR-US: Microsoft CVE-2015-0077 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2015-0076 (The photo-decoder implementation in Microsoft Windows Vista SP2, Windo ...) NOT-FOR-US: Microsoft CVE-2015-0075 (The kernel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Wi ...) NOT-FOR-US: Microsoft CVE-2015-0074 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0073 (The Windows Registry Virtualization feature in the kernel in Microsoft ...) NOT-FOR-US: Microsoft CVE-2015-0072 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0071 (Microsoft Internet Explorer 9 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0070 (Microsoft Internet Explorer 6 through 11 allows remote attackers to re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0069 (Microsoft Internet Explorer 10 and 11 allows remote attackers to bypas ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0068 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0067 (Microsoft Internet Explorer 6 through 9 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0066 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0065 (Microsoft Word 2007 SP3 allows remote attackers to execute arbitrary c ...) NOT-FOR-US: Microsoft Word CVE-2015-0064 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word Automati ...) NOT-FOR-US: Microsoft CVE-2015-0063 (Microsoft Excel 2007 SP3; the proofing tools in Office 2010 SP2; Excel ...) NOT-FOR-US: Microsoft CVE-2015-0062 (Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8, Window ...) NOT-FOR-US: Microsoft CVE-2015-0061 (Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2015-0060 (The font mapper in win32k.sys in the kernel-mode drivers in Microsoft ...) NOT-FOR-US: Microsoft CVE-2015-0059 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 ...) NOT-FOR-US: Microsoft CVE-2015-0058 (Double free vulnerability in win32k.sys in the kernel-mode drivers in ...) NOT-FOR-US: Microsoft CVE-2015-0057 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2015-0056 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0055 (Microsoft Internet Explorer 10 and 11 allows remote attackers to gain ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0054 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0053 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0052 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0051 (Microsoft Internet Explorer 8 allows remote attackers to bypass the AS ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0050 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0049 (Microsoft Internet Explorer 8 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0048 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0047 REJECTED CVE-2015-0046 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0045 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0044 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0043 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0042 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0041 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0040 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0039 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0038 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0037 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0036 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0035 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0034 REJECTED CVE-2015-0033 REJECTED CVE-2015-0032 (vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Inter ...) NOT-FOR-US: Microsoft CVE-2015-0031 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0030 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0029 (Microsoft Internet Explorer 6 and 8 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0028 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0027 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0026 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0025 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0024 REJECTED CVE-2015-0023 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0022 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0021 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0020 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0019 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0018 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0017 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0016 (Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) co ...) NOT-FOR-US: Microsoft Windows CVE-2015-0015 (Microsoft Windows Server 2003 SP2, Server 2008 SP2 and R2 SP1, and Ser ...) NOT-FOR-US: Microsoft Windows CVE-2015-0014 (Buffer overflow in the Telnet service in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-0013 REJECTED CVE-2015-0012 (Microsoft System Center Virtual Machine Manager (VMM) 2012 R2 Update R ...) NOT-FOR-US: Microsoft CVE-2015-0011 (mrxdav.sys (aka the WebDAV driver) in the kernel-mode drivers in Micro ...) NOT-FOR-US: Microsoft Windows CVE-2015-0010 (The CryptProtectMemory function in cng.sys (aka the Cryptography Next ...) NOT-FOR-US: Microsoft CVE-2015-0009 (The Group Policy Security Configuration policy implementation in Micro ...) NOT-FOR-US: Microsoft CVE-2015-0008 (The UNC implementation in Microsoft Windows Server 2003 SP2, Windows V ...) NOT-FOR-US: Microsoft CVE-2015-0007 REJECTED CVE-2015-0006 (The Network Location Awareness (NLA) service in Microsoft Windows Serv ...) NOT-FOR-US: Microsoft Windows CVE-2015-0005 (The NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Ser ...) NOT-FOR-US: Microsoft CVE-2015-0004 (The User Profile Service (aka ProfSvc) in Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft Windows CVE-2015-0003 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2015-0002 (The AhcVerifyAdminContext function in ahcache.sys in the Application C ...) NOT-FOR-US: Microsoft Windows CVE-2015-0001 (The Windows Error Reporting (WER) component in Microsoft Windows 8, Wi ...) NOT-FOR-US: Microsoft Windows