Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 8 Feb 2014 12:17:31 +0100
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Vulnerability Information Managers <vim@...rition.org>
Subject: Fwd: Old CVE ids, public, but still "RESERVED"

Sending a copy to oss-sec, in case there are people interested in this kind 
of information.

----------  Forwarded Message  ----------

Subject: Old CVE ids, public, but still "RESERVED"
Date: Friday 24 January 2014
From: Raphael Geissert <geissert@...ian.org>
To: Vulnerability Information Managers <vim@...rition.org>

Hi,

Attached are a list of CVE ids which are still marked as RESERVED
(i.e. no description/links/etc have been set) yet our security tracker
knows about them. The tracker only containing public data, it means
that the ids are not embargoed.

Hopefully these lists can be useful to MITRE to catch up on those, or
to anyone else.
I can generate these and other reports regularly if desired.

Notes:
* The year in the file name corresponds to the year in the CVE id, not
necessarily the year of assignment.
* The lists only contain the CVE id, probably a short description, and
one line of data from our tracker. The full data can be obtained
either by going to
https://security-tracker.debian.org/tracker/CVE-YYYY-XXXX or by
looking up on our text database.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

CVE-2011-4973 [mod_nss FakeBasicAuth authentication bypass]
	- libapache2-mod-nss <unfixed> (low; bug #729626)
CVE-2011-4972 [CKEditor module for Drupal access bypass]
	NOT-FOR-US: Drupal module
CVE-2011-4970 [Multiple SQL Injection vulnerabilities in Disk Pool Manager (DPM)]
	- lcgdm 1.8.6-1 (low; bug #702895)
CVE-2011-4968 [nginx http proxy module does not verify peer identity of https origin server]
	- nginx <unfixed> (low; bug #697940)
CVE-2011-4967
	NOT-FOR-US: OpenPegasus
CVE-2011-4958 [silverstripe:XSS]
	- silverstripe <itp> (bug #528461)
CVE-2011-4955
	NOT-FOR-US: wordpress bsuite plugin
CVE-2011-4954
	- cobbler <itp> (bug #545583)
CVE-2011-4953
	- cobbler <itp> (bug #545583)
CVE-2011-4952
	- cobbler <itp> (bug #545583)
CVE-2011-4938
	NOT-FOR-US: Ariadne CMS not in Debian
CVE-2011-4937
	- joomla <itp> (bug #571794)
CVE-2011-4936
	- joomla <itp> (bug #571794)
CVE-2011-4935
	- joomla <itp> (bug #571794)
CVE-2011-4934
	- joomla <itp> (bug #571794)
CVE-2011-4933
	- joomla <itp> (bug #571794)
CVE-2011-4931
	- gpw <unfixed> (unimportant; bug #651510)
CVE-2011-4930
	- condor <not-affected> (Fixed before initial release)
CVE-2011-4924
	- zope2.12 2.12.22-1
CVE-2011-4919 [mpack info disclosure]
	- mpack 1.6-8 (low; bug #655971)
CVE-2011-4917
	- linux-2.6 <unfixed> (unimportant)
CVE-2011-4915
	- linux-2.6 <unfixed> (unimportant)
CVE-2011-4912
	NOT-FOR-US: Joomla
CVE-2011-4908
	NOT-FOR-US: Joomla
CVE-2011-4907
	NOT-FOR-US: Joomla
CVE-2011-4906
	NOT-FOR-US: Joomla
CVE-2011-4904
	{DSA-2289-1}
CVE-2011-4903
	{DSA-2289-1}
CVE-2011-4902
	{DSA-2289-1}
CVE-2011-4901
	{DSA-2289-1}
CVE-2011-4900
	{DSA-2289-1}
CVE-2011-4632
	{DSA-2289-1}
CVE-2011-4631
	{DSA-2289-1}
CVE-2011-4630
	{DSA-2289-1}
CVE-2011-4629
	{DSA-2289-1}
CVE-2011-4628
	{DSA-2289-1}
CVE-2011-4627
	{DSA-2289-1}
CVE-2011-4626
	{DSA-2289-1}
CVE-2011-4625 [simplesamlphp xml encryption issues]
	{DSA-2330-1}
CVE-2011-4624
	NOT-FOR-US: WordPress flash-album-gallery
CVE-2011-4613 [X launcher permission bypass]
	{DSA-2364-1}
CVE-2011-4610
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2011-4600
	- libvirt 0.9.9-1 (low)
CVE-2011-4595
	NOT-FOR-US: WordPress pretty-link plugin
CVE-2011-4580
	NOT-FOR-US: JBoss Enterprise Portal Platform
CVE-2011-4573
	NOT-FOR-US: JBoss Operations Network
CVE-2011-4558
	- tikiwiki <removed>
CVE-2011-4455
	- tikiwiki <removed>
CVE-2011-4454
	- tikiwiki <removed>
CVE-2011-4407 [apt-add-repository does not perform ssl verification where it *needs* to]
	- software-properties 0.76.7debian2+nmu2
CVE-2011-4406
	- accountsservice 0.6.15-3
CVE-2011-4366
	NOT-FOR-US: ** REJECT ** duplicate of CVE-2011-4090
CVE-2011-4365
	NOTE: duplicate of CVE-2011-4090
CVE-2011-4350
	- yaws 1.91-2 (bug #650009)
CVE-2011-4343
	NOT-FOR-US: Apache MyFaces
CVE-2011-4338
	NOT-FOR-US: Arch-Linux specific tool
CVE-2011-4336
	NOT-FOR-US: Tiki Wiki
CVE-2011-4334
	NOT-FOR-US: LabWiki
CVE-2011-4333
	NOT-FOR-US: LabWiki
CVE-2011-4327
	- openssh <not-affected> (Only affects platforms w/o /dev/random)
CVE-2011-4322
	NOT-FOR-US: websitebaker
CVE-2011-4310
	- cmsms <itp> (bug #608888)
CVE-2011-4195
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4193
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4192
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4121
	- ruby1.9.1 <not-affected> (Only affected trunk versions)
CVE-2011-4120 [authentication bypass by pressing ctrl-d]
	- yubico-pam 2.10-1
CVE-2011-4117
	NOT-FOR-US: perl Batch::BatchRun CPAN module
CVE-2011-4116
	- perl <unfixed> (unimportant)
CVE-2011-4115
	- libparallel-forkmanager-perl <not-affected> (issue introduced in 0.7.6 upstream, never in Debian)
CVE-2011-4111
	- qemu 0.15.1+dfsg-2
CVE-2011-4104
	- django-tastypie 0.9.10-1 (bug #647314)
CVE-2011-4103 [YAML deserialization vulnerability in Piston framework]
	{DSA-2344-1}
CVE-2011-4099
	- libcap2 1:2.22-1 (low)
CVE-2011-4095
	NOT-FOR-US: Jara
CVE-2011-4094
	NOT-FOR-US: Jara
CVE-2011-4093
	- net6 1:1.3.14-1 (low; bug #647318)
CVE-2011-4092
	- obby <unfixed> (low; bug #647317)
CVE-2011-4091
	[squeeze] - net6 <no-dsa> (Minor issue)
CVE-2011-4090 [serendipity before 1.6 backend XSS in karma plugin]
	- serendipity <removed> (bug #650937)
CVE-2011-4089
	- bzip2 1.0.6-1 (low; bug #632862)
CVE-2011-4088
	NOT-FOR-US: abrt/libreport
CVE-2011-4083
	NOT-FOR-US: RedHat sos
CVE-2011-4082
	- phpldapadmin 0.9.8-1
CVE-2011-3923
	- libstruts1.2-java <not-affected> (Only affects 2.x)
CVE-2011-3642 [flowplayer-core: Arbitrary plugins with remote code execution (XSS)]
	- mahara <removed> (low; bug #699230)
CVE-2011-3634
	- apt 0.8.11 (low)
CVE-2011-3632 [hardlink has buffer overflows, is unsafe on changing trees]
	- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3631 [hardlink has buffer overflows, is unsafe on changing trees]
	- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3630 [hardlink has buffer overflows, is unsafe on changing trees]
	- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3629
	NOT-FOR-US: Joomla
CVE-2011-3628
	- pam 1.1.3-7 (low; bug #670076)
CVE-2011-3625 [mplayer SAMI subtitle parsing buffer overflow]
	- mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bug #645987)
CVE-2011-3624
	- ruby1.8 <unfixed> (low; bug #646020)
CVE-2011-3623 [media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers]
	- vlc 1.1.3-1
CVE-2011-3622
	NOT-FOR-US: phorum
CVE-2011-3621
	NOT-FOR-US: fluxbb
CVE-2011-3618 [atop insecure tempfile handling]
	- atop 1.23-1.1 (low; bug #622794)
CVE-2011-3617 [tahoe-lafs: an unauthorized user can delete files]
	- tahoe-lafs 1.8.3-1 (bug #641540)
CVE-2011-3614 [vanilla plugin access control]
	NOT-FOR-US: Vanilla Forums
CVE-2011-3613 [vanilla forums cookie theft]
	NOT-FOR-US: Vanilla Forums
CVE-2011-3612 [HTB22913: Multiple CSRF in UseBB]
	NOT-FOR-US: UseBB
CVE-2011-3611 [HTB22914: Local File Inclusion in UseBB]
	NOT-FOR-US: UseBB
CVE-2011-3610 [serendipity freetag plugin before 3.30 and probably others]
	NOT-FOR-US: Serendipity plugin
CVE-2011-3609 [CSRF in the JBoss AS 7 administration console & HTTP management API]
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2011-3606 [DOM based XSS in the JBoss AS 7 administration console]
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2011-3605
	{DSA-2323-1}
CVE-2011-3604
	{DSA-2323-1}
CVE-2011-3603
	NOTE: http://seclists.org/oss-sec/2011/q4/30
CVE-2011-3602
	{DSA-2323-1}
CVE-2011-3601
	{DSA-2323-1}
CVE-2011-3600
	- libxmlrpc3-java 3.1.3-1 (low)
CVE-2011-3596
	- polipo 1.0.4.1-1.2 (bug #644289)
CVE-2011-3595
	- joomla <itp> (bug #571794)
CVE-2011-3592 [phpMyAdmin did not properly sanitize the content of db, table, and column names prior use of their values.]
	- phpmyadmin 4:3.4.5-1
CVE-2011-3591 [PMASA-2011-14 XSS]
	- phpmyadmin 4:3.4.5-1
CVE-2011-3590 [mkdumprd utility created the final initial ramdisk image with...]
	- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3589 [mkdumprd utility copied content of certain directories into newly...]
	- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3588 [kdump/mkdumprd: the default value of "StrictHostKeyChecking=no"]
	- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3586
	NOTE: Dupe of CVE-2011-3504, to be rejected
CVE-2011-3585
	- samba 2:3.4.7~dfsg-2 (low)
CVE-2011-3584 [TYPO3-SA-2011-003]
	- typo3-src 4.5.6+dfsg1-1 (low; bug #641683)
CVE-2011-3583 [TYPO3-SA-2011-002]
	- typo3-src 4.5.6+dfsg1-1 (low; bug #641682)
CVE-2011-3582
	NOT-FOR-US: Advanced Electron Forums
CVE-2011-3350 [masqmail improper privilege dropping]
	- masqmail 0.2.30-1 (low; bug #638002)
CVE-2011-3377 [IcedTea browser plugin Same Origin Policy suffix issue]
	{DSA-2420-1}
CVE-2011-3374 [apt-key insecure validation]
	- apt <unfixed> (unimportant; bug #642480)
CVE-2011-3373
	NOT-FOR-US: Views Bulk Operations module for Drupal
CVE-2011-3370
	- statusnet <itp> (bug #491723)
CVE-2011-3355
	- evolution-data-server3 3.2.1-1 (bug #641052)
CVE-2011-3352
	NOT-FOR-US: Zikula
CVE-2011-3351
	- openvas-scanner <unfixed> (bug #641327; low)
CVE-2011-3349 [lightdm denial of service]
	- lightdm 0.9.6-1 (bug #639151)
CVE-2011-3346
	- qemu-kvm 0.15.1+dfsg-1 (bug #646118)
CVE-2011-3344
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-3203 [Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution]
	NOT-FOR-US: Jcow
CVE-2011-3202 [Jcow CMS 4.2 <= | Cross Site Scripting]
	NOT-FOR-US: Jcow
CVE-2011-3199
	{DSA-2365-1}
CVE-2011-3198
	{DSA-2365-1}
CVE-2011-3197
	{DSA-2365-1}
CVE-2011-3196
	{DSA-2365-1}
CVE-2011-3195
	{DSA-2365-1}
CVE-2011-3183
	NOT-FOR-US: Concrete CMS
CVE-2011-3180
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-3154
	- update-manager <not-affected> (ubuntu-specific issue)
CVE-2011-3153
	- lightdm 1.0.6-2
CVE-2011-3152
	- update-manager <not-affected> (ubuntu-specific issue)
CVE-2011-3145
	{DSA-2382-1}
CVE-2011-2941
	NOT-FOR-US: JBoss Enterprise Portal Platform
CVE-2011-2936
	- elgg <itp> (bug #526197)
CVE-2011-2935
	- elgg <itp> (bug #526197)
CVE-2011-2934
	NOT-FOR-US: WebsiteBaker
CVE-2011-2933
	NOT-FOR-US: WebsiteBaker
CVE-2011-2927
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2924
	- foomatic-filters 4.0.12-1 (low)
CVE-2011-2923
	- foomatic-filters <unfixed> (unimportant)
CVE-2011-2922
	- ktsuss <removed>
CVE-2011-2921
	- ktsuss <removed>
CVE-2011-2920
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2919
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2916
	- qtnx <removed> (low; bug #637439)
CVE-2011-2910
	- ax25-tools 0.0.8-13.2 (low; bug #638198)
CVE-2011-2909
	{DSA-2303-1}
CVE-2011-2902 [xpdf: insecure tempfile usage]
	- xpdf 3.02-19 (low; bug #635849)
CVE-2011-2897
	- gdk-pixbuf <not-affected> (This only applies to the old standalone copy shipped until Lenny)
CVE-2011-2765 [pyro: insecure use of temporary pid file]
	- pyro 1:3.14-1 (low; bug #631912)
CVE-2011-2727
	NOT-FOR-US: Tribiq CMS
CVE-2011-2726 [SA-CORE-2011-003]
	- drupal7 7.6-1
CVE-2011-2725 [ark directory traversal]
	- kdeutils 4:4.6.5-4 (low; bug #635541)
CVE-2011-2717
	NOT-FOR-US: udhcp6c
CVE-2011-2715
	NOT-FOR-US: Drupal data module
CVE-2011-2714
	NOT-FOR-US: Drupal data module
CVE-2011-2706
	NOT-FOR-US: sNews
CVE-2011-2702 [eglibc signedness vulnerability in ssse3 optimizations]
	- eglibc 2.13-10
CVE-2011-2684
	- foo2zjs 20110722dfsg-1 (low; bug #633870)
CVE-2011-2683
	- reseed <removed>
CVE-2011-2538
	- plone3 <removed>
CVE-2011-2523
	- vsftpd <not-affected> (backdoored version was never in the Debian archive)
CVE-2011-2515
	- packagekit 0.6.17-1
CVE-2011-2514
	- openjdk-6 6b21~pre1-1
CVE-2011-2513
	- openjdk-6 6b21~pre1-1
CVE-2011-2500
	- nfs-utils 1:1.2.4-1 (bug #633155)
CVE-2011-2499
	NOT-FOR-US: Mambo CMS
CVE-2011-2498
	- linux-2.6 2.6.39-1 (low)
CVE-2011-2487
	NOT-FOR-US: Apache CXF
CVE-2011-2480 [kfreebsd info disclosure]
	- kfreebsd-9 9.0~svn223502-1 (bug #631160)
CVE-2011-2207
	- dirmngr <unfixed> (unimportant; bug #627377)
CVE-2011-2187
	- xscreensaver 5.14-1 (bug #627382)
CVE-2011-2186
	NOTE: Disputed gitweb non-issue: https://bugzilla.redhat.com/show_bug.cgi?id=713298
CVE-2011-2177
	- libreoffice <undetermined>
CVE-2011-2198 [vte memory exhaustion]
	- vte 1:0.28.1-1 (low; bug #629688)
CVE-2011-2054
	NOT-FOR-US: ** REJECT ** CVE-2011-2054 misused as CVE-2011-2524
CVE-2011-1939
	- zendframework 1.11.6-1 (low)
CVE-2011-1935 [packet truncation in libpcap]
	- libpcap 1.1.1-4 (low; bug #623868)
CVE-2011-1934 [lilo: lilo.conf world-readable]
	- lilo 23.1-2 (low; bug #615103)
CVE-2011-1933
	- libjifty-dbi-perl 0.68-1 (low; bug #622919)
CVE-2011-1930
	- klibc 1.5.22-1 (low)
CVE-2011-1837
	{DSA-2382-1}
CVE-2011-1836
	- ecryptfs-utils 92-1
CVE-2011-1835
	{DSA-2382-1}
CVE-2011-1834
	{DSA-2382-1}
CVE-2011-1832
	{DSA-2382-1}
CVE-2011-1831
	{DSA-2382-1}
CVE-2011-1798
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1796
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1795
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1794
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1793
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1773
	NOT-FOR-US: virt-v2v
CVE-2011-1749 [nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE]
	- nfs-utils 1:1.2.3-3 (low; bug #629420)
CVE-2011-1597
	NOT-FOR-US: OpenVAS Manager
CVE-2011-1596
	NOT-FOR-US: ** REJECT ** (regular bug in gnome-screensaver-dialog)
CVE-2011-1594
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-1588
	- thunar <not-affected> (Introduced in 1.2, only in experimental)
CVE-2011-1490
	- rsyslog 5.7.6-1 (low)
CVE-2011-1489
	- rsyslog 5.7.6-1 (low)
CVE-2011-1488
	- rsyslog 5.7.6-1 (low)
CVE-2011-1474
	NOT-FOR-US: PaX hardening patch
CVE-2011-1408 [ikiwiki tty hijacking vulnerability]
	- ikiwiki 3.20110608 (low)
CVE-2011-1151
	NOT-FOR-US: Joomla!
CVE-2011-1150
	NOT-FOR-US: bbPress
CVE-2011-1145 [buffer overflow in unixODBC's SQLDriverConnect()]
	- unixodbc 2.2.14p2-3 (low; bug #617655)
CVE-2011-1086
	NOT-FOR-US: openfiler
CVE-2011-1085
	NOT-FOR-US: smoothwall
CVE-2011-1084
	NOT-FOR-US: smoothwall
CVE-2011-1070
	- v86d 0.1.10-1 (low; bug #619404)
CVE-2011-1069
	NOT-FOR-US: PHPShop
CVE-2011-1028
	- smarty3 3.0.8-1
CVE-2011-1009
	NOT-FOR-US: Vanilla Forums
CVE-2011-1133 [xinha XSS mode param]
	- serendipity <removed> (bug #611661)
CVE-2011-1134 [xinha XSS image manager]
	- serendipity <removed> (bug #611661)
CVE-2011-1135 [xinha multiple vulns]
	- serendipity <removed> (bug #611661)
CVE-2011-1136 [tesseract tempfile]
	- tesseract 2.04-2.1 (low; bug #612032)
CVE-2011-0705 [path traversal in SimpleHTTPServer]
	NOTE: Will be rejected
CVE-2011-0704
	NOT-FOR-US: 389 Directory Server
CVE-2011-0703
	- gksu-polkit <removed> (bug #684489)
CVE-2011-0699
	- linux-2.6 2.6.37-2
CVE-2011-0544
	- phpbb3 3.0.7-PL1-5 (low; bug #612477)
CVE-2011-0529
	- weborf 0.12.5-1
CVE-2011-0528
	- puppet 2.6.2-3
CVE-2011-0525
	NOT-FOR-US: Batavi
CVE-2011-0460
	- kbd <not-affected> (SUSE-specific)
CVE-2011-0428
	- ikiwiki 3.20110122
CVE-2011-0068
	- xulrunner <not-affected> (Only affects Firefox 4.0, not yet in unstable)

CVE-2012-6619 [MongoDB memory over-read via incorrect BSON object length]
	- mongodb 1:2.4.1-1
CVE-2012-6110 [bcron file descriptors not closed]
	- bcron 0.09-13 (low; bug #686650)
CVE-2012-6345
	NOT-FOR-US: CyberArk Vault
CVE-2012-6344
	NOT-FOR-US: CyberArk Vault
CVE-2012-6342
	NOT-FOR-US: Atlassian Confluence
CVE-2012-6146 [Backend History Module Information Disclosure]
	{DSA-2574-1}
CVE-2012-6143 [Storable::thaw called on untrusted inputs]
	- libspoon-perl <unfixed> (bug #715371; low)
CVE-2012-6142 [Storable::thaw called on untrusted inputs]
	NOT-FOR-US: HTML-EP CPAN module
CVE-2012-6141 [Storable::thaw called on untrusted inputs]
	NOT-FOR-US: App-Context CPAN module
CVE-2012-6136
	NOT-FOR-US: tuned (RH-specific powersaving tool)
CVE-2012-6135
	- ruby-passenger <not-affected> (Vulnerable code not present; bug #702219)
CVE-2012-6133 [XSS flaws in ok and error messages]
	- roundup 1.4.20-1
CVE-2012-6132 [XSS flaw with the otk parameter]
	- roundup 1.4.20-1
CVE-2012-6131 [XSS flaw in @action parameter]
	- roundup 1.4.20-1
CVE-2012-6130 [XSS vulnerability when usernames contain HTML]
	- roundup 1.4.20-1
CVE-2012-6125
	- chicken 4.8.0-1 (low; bug #702410)
CVE-2012-6124
	- chicken 4.8.0-1 (low; bug #702410)
CVE-2012-6123
	- chicken 4.8.0-1 (low; bug #702410)
CVE-2012-6122
	- chicken 4.8.0.3-1 (low; bug #702410)
CVE-2012-6114 [temp file vulnerability in git-extras]
	- git-extras 1.7.0-1.2 (bug #698490)
CVE-2012-6111 [gnome-keyring does not discard stored secrets in some cases]
	- gnome-keyring 3.8.2-1 (low; bug #697896)
CVE-2012-6108 [default permissions for /var/log/hp are too open]
	- hplip <not-affected> (permissions are 755 on wheezy, sid and experimental)
CVE-2012-6107 [Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate]
	- axis2c <unfixed> (bug #697974)
CVE-2012-6094
	- cups <not-affected> (systemd patch not applied in Debian, see bug #697584)
CVE-2012-6086 [zabbix insecure curl usage]
	- zabbix 1:2.0.7+dfsg-1 (bug #697443)
CVE-2012-6083
	- freeciv 2.3.4-1 (low; bug #696306)
CVE-2012-6079
	NOT-FOR-US: W3 Total Cache
CVE-2012-6078
	NOT-FOR-US: W3 Total Cache
CVE-2012-6077
	NOT-FOR-US: W3 Total Cache
CVE-2012-6071 [libnusoap-php: Curl insecure usage]
	- nusoap 0.7.3-5 (low; bug #696707)
CVE-2012-6070 [falconpl: Curl insecure usage]
	- falconpl 0.9.6.9-git20120606-2 (bug #696681)
CVE-2012-5844
	- openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
CVE-2012-5663
	NOT-FOR-US: Isearch
CVE-2012-5662
	- ibm-3270 <unfixed> (bug #706547)
CVE-2012-5650 [DOM based XSS via Futon UI]
	- couchdb 1.2.0-5 (bug #698439)
CVE-2012-5649 [JSONP arbitrary code execution with Adobe Flash]
	- couchdb 1.2.0-5 (bug #698439)
CVE-2012-5645
	- freeciv 2.3.4-1 (low; bug #696306)
CVE-2012-5644 [(Complete) Information disclosure when moving user's home directory]
	- libuser <unfixed> (low; bug #705690)
CVE-2012-5641
	- couchdb <not-affected> (Only affects CouchDB on Windows)
CVE-2012-5640 [thttpd: Local DoS vulnerability]
	- thttpd <removed> (low)
CVE-2012-5639
	- libreoffice <unfixed> (unimportant)
CVE-2012-5631
	NOT-FOR-US: FreeIPA
CVE-2012-5630 [TOCTOU race conditions by copying and removing directory trees]
	- libuser <unfixed> (low; bug #705690)
CVE-2012-5628
	NOT-FOR-US: gofer component of PULP project
CVE-2012-5623
	NOT-FOR-US: change_passwd plugin for Squirrelmail
CVE-2012-5621 [Ekiga (x < 4.0.0): DoS (crash) after receiving call from other party with not UTF-8 valid name]
	- ekiga 3.2.7-6 (bug #702282; low)
CVE-2012-5620
	NOT-FOR-US: Docecot non-issue, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695138#15
CVE-2012-5619
	- sleuthkit <unfixed> (unimportant; bug #695097)
CVE-2012-5618
	NOT-FOR-US: Ushahidi
CVE-2012-5617 [privilege escalation due to improper authentication settings in policykit configuration file]
	- gksu-polkit <removed> (bug #695807)
CVE-2012-5583 [phpcas curl usage]
	- php-cas 1.3.1-2
CVE-2012-5582 [opendnssec curl usage]
	- opendnssec <not-affected> (eppclient not built in Debian package)
CVE-2012-5580 [libproxy: format string issue]
	- libproxy 0.3.1-4 (low)
CVE-2012-5578 [Python keyring insecure permissions on new databases]
	- python-keyring 0.9.2-1.1 (bug #696736)
CVE-2012-5577 [Python keyring insecure permissions on migrated files]
	- python-keyring 0.9.2-1.1 (bug #696736)
CVE-2012-5572 [Dancer::Cookie: Cookie name CRLF injection]
	- libdancer-perl 1.3114+dfsg-1 (low; bug #694279)
CVE-2012-5567
	- kronolith2 <not-affected> (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid)
CVE-2012-5566
	- kronolith2 <not-affected> (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid)
CVE-2012-5565
	NOT-FOR-US: This doesn't seem to be packaged in sid's Horde and the imp3 and dimp1 packages from stable do not include the affected code
CVE-2012-5560
	NOT-FOR-US: MATE gnome fork
CVE-2012-5535
	- gnome-system-log <not-affected> (Fedora-specific issue)
CVE-2012-5527
	- claws-mail-extra-plugins 3.8.1-2 (unimportant; bug #693391)
CVE-2012-5524
	- gajim 0.15.4-1 (low; bug #693282)
CVE-2012-5521
	- quagga <unfixed> (unimportant; bug #693102)
CVE-2012-5518
	NOT-FOR-US: ovirt / vsdm
CVE-2012-5508 [ Zope/Plone: PRNG isn't reseeded]
	- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5507 [ Zope/Plone: Timing attack in password validation ]
	- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5506 [ Zope/Plone: DoS through RSS on private folder ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5505 [ Zope/Plone: Attempting to access a view with no name returns an internal data structure ]
	- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5504 [ Zope/Plone: Persistent XSS ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5503 [ Zope/Plone: Users connected through FTP can list hidden folder contents ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5502 [ Zope/Plone: Persistent XSS via filtering bypass ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5501 [ Zope/Plone: Crafted URL allows downloading of BLOBs that are not visible to the user ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5500 [ Zope/Plone: Anonymous users can batch change titles of content items ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5499 [ Zope/Plone: Partial denial of service through internal function ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5498 [ Zope/Plone: Partial denial of service through Collections functionality ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5497 [ Zope/Plone: Anonymous users can list user account names ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5496 [ Zope/Plone: DoS through unsanitised inputs into Kupu ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5495 [ Zope/Plone: Restricted Python injection ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5494 [ Zope/Plone: Reflexive XSS ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5493 [ Zope/Plone: Restricted Python sandbox escape ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5492 [ Zope/Plone: Partial permissions bypass ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5491 [ Zope/Plone: Form detail exposure ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5490 [ Zope/Plone: Reflexive XSS ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5489 [ Zope/Plone: Partial restricted Python sandbox escape ]
	- zope2.12 <unfixed> (bug #692899)
CVE-2012-5488 [ Zope/Plone: Restricted Python injection ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5487 [ Zope/Plone: Restricted Python sandbox escape ]
	- zope2.12 <unfixed> (unimportant; bug #692899)
CVE-2012-5486 [ Zope/Plone: Reflexive HTTP header injection ]
	- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5485 [ Restricted Python injection ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5476
	- horizon <not-affected> (File is installed with 0700 perms in Debian)
CVE-2012-5474
	- horizon 2012.1.1-7
CVE-2012-5395
	NOT-FOR-US: Mediawiki extension CentralAuth
CVE-2012-5391
	- mediawiki 1:1.19.3-1 (bug #694998)
CVE-2012-5390 [Possible privilege escalation]
	- condor <not-affected> (standard universe is disabled in the Debian package, see bug #697936)
CVE-2012-5366
	NOT-FOR-US: Mac OS X
CVE-2012-5365
	- kfreebsd-8 <removed> (low; bug #690986)
CVE-2012-5364
	NOT-FOR-US: Microsoft Windows
CVE-2012-5363
	- kfreebsd-8 <removed> (low; bug #690986)
CVE-2012-5362
	NOT-FOR-US: Microsoft Windows
CVE-2012-5361
	- ffmpeg <removed>
CVE-2012-5360
	- ffmpeg <removed>
CVE-2012-5359
	- ffmpeg <removed>
CVE-2012-5241
	NOT-FOR-US: PEAR module for Twitter
CVE-2012-5236 [Admin can decrypt user files]
	- owncloud <unfixed> (low)
CVE-2012-4410
	NOTE: to be rejected
CVE-2012-4576 [freebsd privilege escalation]
	- kfreebsd-8 8.3-6 (bug #694096)
CVE-2012-4570 [sql injection]
	- php-letodms-core 3.3.8-1
CVE-2012-4569 [multiple xss in 3.3.9]
	- letodms 3.3.9+dfsg-1
CVE-2012-4568 [csrf]
	- letodms 3.3.9+dfsg-1
CVE-2012-4567 [multiple xss in 3.3.8]
	- letodms 3.3.9+dfsg-1
CVE-2012-4526 [XSS in password.php, incomplete fix for CVE-2012-4525]
	- piwigo <not-affected> (incomplete fix not applied to Debian package)
CVE-2012-4525 [XSS in password.php]
	- piwigo <removed>
CVE-2012-4524 [xlockmore bypass]
	- xlockmore <removed> (low)
CVE-2012-4519
	NOT-FOR-US: Zenphoto
CVE-2012-4512
	- kdebase <removed> (unimportant)
CVE-2012-4480
	NOT-FOR-US: mom
CVE-2012-4451 [php-ZendFramework: XSS vectors in multiple Zend Framework components ZF2012-03]
	- zendframework <not-affected> (Vulnerable code introduced in 2.x, #688946)
CVE-2012-4441 [jenkins XSS in CI game plugin]
	- jenkins <not-affected> (Plugin not built in Debian source package)
CVE-2012-4440 [jenkins XSS in Violations plugin]
	- jenkins <not-affected> (Plugin not built in Debian source package)
CVE-2012-4439 [jenkins XSS]
	- jenkins 1.447.2+dfsg-2 (bug #688298)
CVE-2012-4438 [jenkins remote code execution]
	- jenkins 1.447.2+dfsg-2 (bug #688298)
CVE-2012-4434 [fwknop 2.0.3: multiple DoS / code execution flaw]
	- fwknop 2.0.3-1 (bug #688151)
CVE-2012-4428
	- openslp-dfsg <unfixed> (bug #687597; low)
CVE-2012-4420 [Duplicate of CVE-2012-4416]
	NOT-FOR-US: Duplicate of CVE-2012-4416
CVE-2012-4385 [letodms CSRF]
	- letodms 3.3.7+dfsg-1 (bug #689664)
CVE-2012-4384 [letodms XSS]
	- letodms 3.3.7+dfsg-1 (bug #689664)
CVE-2012-4383
	NOT-FOR-US: Contao
CVE-2012-4382 [Info leak in user blocks]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4381 [Passwords were stored in local DB even if auth systems like LDAP were used]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4380 [Insufficient API for account creation block]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4379 [CSRF]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4378 [DOM-based XSS]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4377 [[mediawiki stored XSS]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-3543
	- mono 2.10.8.1-7 (bug #686562)
CVE-2012-3522 [geshi XSS in contrib/langwiz.php]
	- geshi <not-affected> (Vulnerable code not present, see bug #685323)
CVE-2012-3521 [geshi information disclosure in contrib/cssgen.php]
	- geshi 1.0.8.4-2 (bug #685324)
CVE-2012-3490
	- condor 7.8.2~dfsg.1-1+deb7u1 (bug #688210)
CVE-2012-3427
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2012-3415
	- plpupload <itp> (bug #668396)
CVE-2012-3409
	- ecryptfs-utils 99-1 (bug #682220)
CVE-2012-3407
	NOT-FOR-US: plow
CVE-2012-3406 [glibc formatted printing vulnerabilities]
	- eglibc <unfixed> (low; bug #681888)
CVE-2012-3405 [glibc formatted printing vulnerabilities]
	- eglibc 2.13-35 (low; bug #681473)
CVE-2012-3404 [glibc formatted printing vulnerabilities]
	- eglibc 2.13-35 (low; bug #681473)
CVE-2012-3359
	NOT-FOR-US: Red Hat Conga
CVE-2012-2979 [VU#517036: NSD 3.2.13 emergency release]
	- nsd3 <not-affected> (Debian version not affected)
CVE-2012-2945
	- hadoop <itp> (bug #535861)
CVE-2012-2736 [NetworkManager: creating new WPA-secured wireless network results in insecure network being created instead]
	- network-manager 0.9.4.0-1 (low; bug #655972)
CVE-2012-2724
	NOT-FOR-US: Drupal module
CVE-2012-2714
	NOT-FOR-US: Drupal module
CVE-2012-2663
	- iptables <unfixed> (unimportant; bug #675445)
CVE-2012-2656 [XXE vulnerability in Restlet]
	- restlet <itp> (bug #596472)
CVE-2012-2350 [pam_shield default configuration does not take any action]
	- pam-shield 0.9.2-3.3 (low; bug #658830)
CVE-2012-2328
	NOT-FOR-US: sblim
CVE-2012-2312
	- jbossas4 <not-affected> (Only affects JBoss 7)
CVE-2012-2301 [Drupal SA-CONTRIB-2012-064 - Ubercart - Arbitrary PHP Execution]
	NOT-FOR-US: Drupal addon not packaged
CVE-2012-2250
	- tor 0.2.3.24-rc-1 (low)
CVE-2012-2249
	- tor 0.2.3.23-rc-1 (low)
CVE-2012-2248 [build-influenced PATH set in dhclient]
	- isc-dhcp 4.2.4-3 (bug #690532)
CVE-2012-2238
	- tryton-server <not-affected> (only affected 2.4, in experimental)
CVE-2012-2237
	{DSA-2540-1}
CVE-2012-2095 [wicd command execution with root privileges]
	- wicd 1.7.2.4-1 (low; bug #668397)
CVE-2012-2148
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2012-2142 [Insufficient sanitization of escape sequences in the error message]
	- xpdf <not-affected> (uses poppler's Error.cc)
CVE-2012-2134
	NOT-FOR-US: Dynamic LDAP backend plugin for BIND
CVE-2012-2130
	- polarssl 1.1.2-1
CVE-2012-2108
	- csound 1:5.17.6~dfsg-1 (low; bug #661197)
CVE-2012-2107
	- csound 1:5.17.6~dfsg-1 (bug #661197)
CVE-2012-2106
	- csound 1:5.17.6~dfsg-1 (bug #661197)
CVE-2012-2092
	- cobbler <itp> (bug #545583)
CVE-2012-2079
	NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-2078
	NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-1637
	NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-1622
	NOT-FOR-US: Apache OFBiz
CVE-2012-1621
	NOT-FOR-US: Apache OFBiz
CVE-2012-1615 [sectool dbus priv escalation]
	NOT-FOR-US: sectool
CVE-2012-1600 [XSS from 5.0.4 release]
	- phppgadmin 5.0.4-1
CVE-2012-1592
	- libstruts1.2-java <not-affected> (Only applies to Struts 2, see bug #657870)
CVE-2012-1577
	- dietlibc 0.33~cvs20120325-1 (unimportant)
CVE-2012-1572
	- keystone 2012.1~rc2-1
CVE-2012-1567
	NOT-FOR-US: LinuxMint
CVE-2012-1566
	NOT-FOR-US: LinuxMint
CVE-2012-1563
	- joomla <itp> (bug #571794)
CVE-2012-1562
	- joomla <itp> (bug #571794)
CVE-2012-1561
	NOT-FOR-US: Drupal Finder
CVE-2012-1102 [XML::Atom Perl module XML entity expansion]
	{DSA-2424-1}
CVE-2012-1301
	NOT-FOR-US: Umbraco
CVE-2012-1257
	- pidgin <unfixed> (unimportant)
CVE-2012-1187
	- bitlbee 3.0.4+bzr855-1 (low)
CVE-2012-1171 [safemode bypass after RSHUTDOWN]
	- php5 <unfixed> (unimportant)
CVE-2012-1170
	- moodle <not-affected> (Only affects 2.2)
CVE-2012-1169
	- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1168
	- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1166 [ldm (LTSP display manager)]
	- ldm  2:2.2.7-1 (bug #663645)
CVE-2012-1161
	- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1160
	- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1159
	- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1158
	- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1157
	- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1156
	- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1155
	- moodle 1.9.9.dfsg2-6 (low; bug #668411)
CVE-2012-1124
	NOT-FOR-US: phxEventManager not in Debian
CVE-2012-1115
	- phpldapadmin 1.2.2-3 (low; bug #662050)
CVE-2012-1114
	- phpldapadmin 1.2.2-3 (low; bug #662050)
CVE-2012-1111
	- lightdm 1.0.9-1 (bug #658678)
CVE-2012-1109
	NOT-FOR-US: mwlib not in Debian
CVE-2012-1105
	- moodle 2.2.7.dfsg-1 (low; bug #662945)
CVE-2012-1104
	- moodle 2.2.7.dfsg-1 (low; bug #662945)
CVE-2012-1101
	- systemd 43-1 (bug #662029)
CVE-2012-1100
	NOT-FOR-US: JBoss Operations Network
CVE-2012-1096
	- network-manager <unfixed> (low; bug #684259)
CVE-2012-1095
	- osc <unfixed> (unimportant)
CVE-2012-1094
	NOT-FOR-US: mod_cluster
CVE-2012-1093 [init script x11-common creates directories in insecure manner]
	- xorg 1:7.6+12 (bug #661627)
CVE-2012-1088
	- iproute 20120319-1 (unimportant)
CVE-2012-0943
	- lightdm <not-affected> (Ubuntu-specific script)
CVE-2012-0875 [systemtap invalid read leading to kernel DoS]
	- systemtap 1.7-1 (low; bug #660929; bug #660886)
CVE-2012-0871
	- systemd 43-1
CVE-2012-0844
	- netsurf 2.8-2 (bug #659376)
CVE-2012-0843
	- uzbl 0.0.0~git.20111128-2 (bug #659379)
CVE-2012-0842 [surf info leak]
	- surf 0.4.1-6 (bug #659296)
CVE-2012-0828
	- xchat <not-affected> (Only affects Xchat on Windows and Maemo)
CVE-2012-0824
	- gnusound <removed> (low; bug #654270)
CVE-2012-0812 [PostfixAdmin 2.3.4 multiple XSS vulnerabilities]
	- postfixadmin 2.3.5-1
CVE-2012-0811 [PostfixAdmin 2.3.4 multiple SQL vulnerabilities]
	- postfixadmin 2.3.5-1
CVE-2012-0810
	- linux-2.6 3.2.16-1 (bug #672660)
CVE-2012-0803
	NOT-FOR-US: Apache CXF
CVE-2012-0694 [SugarCRM CE unserialize PHP code execution in multiple files]
	- sugarcrm-ce-5.0 <itp> (bug #457876)
CVE-2012-0270 [csound buffer overflows]
	- csound 1:5.16.6~dfsg-1 (low; bug #661197)
CVE-2012-0214 [apt would still trust repository when old InRelease file present]
	- apt 0.8.15.10
CVE-2012-0153
	NOT-FOR-US: Microsoft
CVE-2012-0140
	NOT-FOR-US: Microsoft
CVE-2012-0139
	NOT-FOR-US: Microsoft
CVE-2012-0785 [Jenkins and hash collision attack]
	- jenkins-winstone 0.9.10-jenkins-31+dfsg-1 (bug #655553)
CVE-2012-0070
	NOT-FOR-US: spamdyke not in Debian
CVE-2012-0064 [xorg screen lockers bypassed via key combo]
	- xorg-server 2:1.11.3.901-2 (high; bug #656410)
CVE-2012-0063
	- tucan <unfixed> (bug #656388)
CVE-2012-0062
	NOT-FOR-US: JBoss Operations Network
CVE-2012-0059
	NOT-FOR-US: RHN Satellite
CVE-2012-0055
	NOT-FOR-US: overlayfs is not (yet) in the Debian kernel
CVE-2012-0052
	NOT-FOR-US: JBoss Operations Network
CVE-2012-0051
	- tahoe-lafs <not-affected> (Only affects 1.9.0, not uploaded to the archive)
CVE-2012-0049
	{DSA-2524-1}
CVE-2012-0046 [mediawiki info leak]
	- mediawiki 1:1.15.5-6 (low; bug #655694)
CVE-2012-0033 [znc bouncedcc DoS]
	- znc 0.202-2
CVE-2012-0032
	NOT-FOR-US: JBoss Operations Network

CVE-2013-7303 [cross-site scripting]
	- spip 3.0.13-1 (bug #736170)
CVE-2013-7302
	NOT-FOR-US: Drupal contrib
CVE-2013-7301 [external network interface is used with no access control for reading queued music files]
	- cantata <not-affected> (Vulnerable code introduced with 1.2.0; bug #736154)
CVE-2013-7300 [absolute path traversal vulnerability]
	- cantata <not-affected> (Vulnerable code introduced with 1.2.0; bug #736154)
CVE-2013-7299 [tntnet: denial of service]
	- tntnet <unfixed> (low; bug #735881)
CVE-2013-7298 [cxxtools: denial of service]
	- cxxtools 2.2.1-1 (low; bug #735880)
CVE-2013-7296 [DoS]
	- poppler <not-affected> (Introduced in a3cee0e7e9dd292c70fe1fa19a92e70bbc1e1b41)
CVE-2013-7285 [remote code execution via deserialization in XStream]
	- libxstream-java <unfixed> (bug #734821)
CVE-2013-7284 [libplrpc-perl remote code execution due to Storable]
	- libplrpc-perl <unfixed> (high; bug #734789)
CVE-2013-7273 [no prompt anymore after login cancel using disable_user_list]
	- gdm3 <unfixed> (low; bug #683338)
CVE-2013-7259
	- neo4j-community <itp> (bug #685615)
CVE-2013-7252 [kwallet crypto misuse]
	- kde-runtime <unfixed>
CVE-2013-7172
	- libiodbc2 <not-affected> (RPATH issue slackware specific)
CVE-2013-7171
	- llvm-2.9 <not-affected> (RPATH issue slackware specific)
CVE-2013-7236
	NOT-FOR-US: Simple Machines Forum
CVE-2013-7235
	NOT-FOR-US: Simple Machines Forum
CVE-2013-7234
	NOT-FOR-US: Simple Machines Forum
CVE-2013-7221 [run command dialog visible above screen locker]
	- gnome-shell <unfixed>
CVE-2013-7220 [blind command execution via activities search keyboard focus]
	- gnome-shell <unfixed>
CVE-2013-7203
	- gitolite3 3.5.3.1-1
CVE-2013-7143
	- open-xchange <itp> (bug #269329)
CVE-2013-7142
	- open-xchange <itp> (bug #269329)
CVE-2013-7141
	- open-xchange <itp> (bug #269329)
CVE-2013-7140
	- open-xchange <itp> (bug #269329)
CVE-2013-7137
	NOT-FOR-US: Burden
CVE-2013-7135
	- libproc-daemon-perl 0.14-2 (low; bug #732283)
CVE-2013-7134
	NOT-FOR-US: Juvia
CVE-2013-7130 [Live migration can leak root disk into ephemeral storage]
	- nova <unfixed> (bug #736465)
CVE-2013-7111
	NOT-FOR-US: Bio Basespace SDK Ruby Gem
CVE-2013-7110
	- transifex-client <unfixed> (low)
CVE-2013-7066
	NOT-FOR-US: Drupal module
CVE-2013-7065
	NOT-FOR-US: Drupal module
CVE-2013-7064
	NOT-FOR-US: Drupal module
CVE-2013-7063
	NOT-FOR-US: Drupal module
CVE-2013-7034
	NOT-FOR-US: LiveZilla
CVE-2013-7033
	NOT-FOR-US: LiveZilla
CVE-2013-7032
	NOT-FOR-US: LiveZilla
CVE-2013-7089 [dbg_printhex possible information leak]
	- clamav 0.97.7+dfsg-1
CVE-2013-7088 [buffer overflow]
	- clamav 0.97.7+dfsg-1
CVE-2013-7087 [[clamav: WWPack corrupt heap memory]
	- clamav 0.97.7+dfsg-1
CVE-2013-7072
	NOT-FOR-US: Monitorix
CVE-2013-7071
	NOT-FOR-US: Monitorix
CVE-2013-7070
	NOT-FOR-US: Monitorix
CVE-2013-7062 [XSS]
	- zope2.12 <removed> (low)
CVE-2013-7061 [Privilege escalation through exposed underlying API]
	NOT-FOR-US: Plone
CVE-2013-7060 [Filesystem path information leak]
	NOT-FOR-US: Plone
CVE-2013-7048 [Nova live snapshots use an insecure local directory]
	- nova 2013.2.1-1 (bug #732022)
CVE-2013-7003
	NOT-FOR-US: LiveZilla
CVE-2013-7041 [pam_userdb: password hashes aren't compared case-sensitively]
	- pam <unfixed> (low; bug #731368)
CVE-2013-7040
	- python2.5 <removed> (low)
CVE-2013-6891 [lppasswd vulnerability]
	- cups 1.7.1-1
CVE-2013-6889 [Allows reading arbitrary files]
	- rush <unfixed> (bug #733505)
CVE-2013-6887
	- openjpeg <not-affected> (only affects 1.5, in experimental, see #731237)
CVE-2013-6880
	NOT-FOR-US: FlashCanvas
CVE-2013-6879
	NOT-FOR-US: MijoSearch
CVE-2013-6878
	NOT-FOR-US: MijoSearch
CVE-2013-6838
	NOT-FOR-US: IVR Pro/Contact Center (VIP2000)
CVE-2013-6806
	NOT-FOR-US: OpenText Exceed onDemand
CVE-2013-6788
	NOT-FOR-US: Bitrix Site Manager
CVE-2013-6766
	NOT-FOR-US: OpenVAS Administrator (only uploaded to exp 2.5 years ago)
CVE-2013-6765
	NOT-FOR-US: OpenVAS Manager (only uploaded to experimental 2.5 years ago)
CVE-2013-6472
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6461 [DoS while parsing XML entities]
	- ruby-nokogiri 1.6.1+ds-1 (bug #734836)
CVE-2013-6460 [DoS while parsing XML documents]
	- ruby-nokogiri 1.6.1+ds-1 (bug #734836)
CVE-2013-6458 [job usage issue in several APIs leading to libvirtd crash]
	{DSA-2846-1}
CVE-2013-6457 [avoid crashing if calling `virsh numatune' on inactive domain]
	- libvirt 1.2.1-1
CVE-2013-6456 [virsh shutdown does not handle symlinks correctly for LXC]
	- libvirt <unfixed> (bug #732394)
CVE-2013-6455
	- mediawiki <unfixed>
CVE-2013-6454
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6453
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6452
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6451
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6444 [failure to check certificate hostname]
	- pywbem <unfixed> (bug #732594)
CVE-2013-6441 [lxc: sshd template allow privilege escalation on host]
	- lxc <unfixed> (unimportant)
CVE-2013-6440 [XML eXternal Entity (XXE) flaw in ParserPool and Decrypter]
	- opensaml2 <not-affected> (Debian provides the C-based Shibboleth implementation)
CVE-2013-6437 [DoS through ephemeral disk backing files]
	- nova <unfixed>
CVE-2013-6430
	- libspring-java <unfixed> (bug #735420)
CVE-2013-6429
	- libspring-java <unfixed> (bug #735420)
CVE-2013-6418 [TOCTOU vulnerability in certificate validation]
	- pywbem <unfixed> (low; bug #732594)
CVE-2013-6413 [unrealircd: DoS, use after free]
	- unrealircd <itp> (bug #515130)
CVE-2013-6396 [does not properly verify the server SSL certificates]
	- python-swiftclient <unfixed> (bug #730626)
CVE-2013-6372
	- jenkins <not-affected> (Affected plugins are not shipped in Debian, bug #730457)
CVE-2013-6365 [CSRF edit.php]
	- php-horde 5.1.5+debian0-1 (bug #730110)
CVE-2013-6364 [XSS and CSRF search.php]
	- php-horde <not-affected> (Vulnerable code in turba)
CVE-2013-6275 [CSRF]
	- php-horde-ingo 3.1.3-1 (bug #727669)
CVE-2013-6242
	- open-xchange <itp> (bug #269329)
CVE-2013-6241
	- open-xchange <itp> (bug #269329)
CVE-2013-6236
	NOT-FOR-US: Stem Innovations IZON
CVE-2013-6223
	NOT-FOR-US: Livezilla
CVE-2013-6117
	NOT-FOR-US: Dahua DVR
CVE-2013-6167
	- iceweasel <unfixed> (unimportant)
CVE-2013-6166
	- chromium-browser 31.0.1650.57-1 (low)
CVE-2013-6053
	- openjpeg <not-affected> (only affects 1.5, in experimental, see #731237)
CVE-2013-6049 [insecure temporary file creation]
	- apt-listbugs 0.1.10 (low)
CVE-2013-6047 [XSS in site creation interface]
	- ikiwiki-hosting 0.20131025
CVE-2013-5984
	NOT-FOR-US: Microweber
CVE-2013-5983
	NOT-FOR-US: GuppY
CVE-2013-5916
	NOT-FOR-US: WordPress plugin wp-e-commerce
CVE-2013-5749
	NOT-FOR-US: SimpleRisk
CVE-2013-5748
	NOT-FOR-US: SimpleRisk
CVE-2013-5743
	- zabbix 1:2.0.8+dfsg-2
CVE-2013-5680 [heap overflow]
	- hylafax <not-affected> (Not built with LDAP support)
CVE-2013-5661 [DNS response rate limiting can simplify cache poisoning attacks]
	NOTE: DNS protocol flaw
CVE-2013-5675
	NOT-FOR-US: Symantec Endpoint Protection
CVE-2013-5671 [Remote Command Injection]
	NOT-FOR-US: fog-dragonfly Ruby Gem
CVE-2013-5655
	NOT-FOR-US: YingZhi Python for iOS
CVE-2013-5654
	NOT-FOR-US: YingZhi Python for iOS
CVE-2013-5640
	NOT-FOR-US: Gnew
CVE-2013-5639
	NOT-FOR-US: Gnew
CVE-2013-5582
	NOT-FOR-US: Ammyy Admin
CVE-2013-5581
	NOT-FOR-US: Ammyy Admin
CVE-2013-5350
	NOT-FOR-US: OpenPNE
CVE-2013-5212
	NOT-FOR-US: easyXDM
CVE-2013-5123 [insecure mirroring]
	- python-pip 1.4.1-1 (unimportant)
CVE-2013-4985
	NOT-FOR-US: Vivotek IP Cameras
CVE-2013-4982
	NOT-FOR-US: AVTECH DVR
CVE-2013-4981
	NOT-FOR-US: AVTECH DVR
CVE-2013-4980
	NOT-FOR-US: AVTECH DVR
CVE-2013-4979 [Buffer Overflow]
	NOT-FOR-US: EPS Viewer
CVE-2013-4978 [Buffer Overflow]
	NOT-FOR-US: Aloaha PDF Suite
CVE-2013-4968
	- puppet <not-affected> (Only affects Puppet Enterprise)
CVE-2013-4772
	NOT-FOR-US: D-Link
CVE-2013-4752
	NOT-FOR-US: Symfony HttpFoundation component
CVE-2013-4751
	NOT-FOR-US: Symfony Validator component
CVE-2013-4739
	- linux <not-affected> (Android-specific camera drivers)
CVE-2013-4738
	- linux <not-affected> (Android-specific camera drivers)
CVE-2013-4730
	NOT-FOR-US: PCMan FTP Server
CVE-2013-4718 [XSS]
	NOT-FOR-US: OTRS ITSM	
CVE-2013-4717 [SQL injection]
	{DSA-2733-1}
CVE-2013-4593
	- ruby-omniauth-facebook <itp> (bug #705766)
CVE-2013-4584 [ssl_outgoing_ciphers not applied to STARTTLS connections]
	- perdition <unfixed> (low; bug #729028)
CVE-2013-4583
	- gitlab <itp> (bug #651606)
CVE-2013-4582 [Local file inclusion vulnerability]
	- gitlab <itp> (bug #651606)
CVE-2013-4581 [Remote code execution vulnerability via Git SSH access]
	- gitlab <itp> (bug #651606)
CVE-2013-4580 [Unauthenticated API access to GitLab when using MySQL]
	- gitlab <itp> (bug #651606)
CVE-2013-4577 [should set safer permissions even when hashed passwords are found]
	- grub2 2.00-20 (unimportant; bug #632598)
CVE-2013-4574
	- mediawiki <unfixed>
CVE-2013-4572
	- mediawiki 1:1.19.8+dfsg-2.2 (bug #729629)
CVE-2013-4571
	- mediawiki <unfixed>
CVE-2013-4570
	- mediawiki <unfixed>
CVE-2013-4565 [heap-based buffer overflow]
	- xlhtml <unfixed> (bug #729279)
CVE-2013-4562
	- ruby-omniauth-facebook <itp> (bug #705766)
CVE-2013-4561
	NOT-FOR-US: OpenShift
CVE-2013-4552
	NOT-FOR-US: drupalauth module for simpleSAMLphp
CVE-2013-4546 [remote command execution]
	- gitlab <itp> (bug #651606)
CVE-2013-4521
	NOT-FOR-US: Nuxeo
CVE-2013-4504
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4503
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4502
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4501
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4500
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4499
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4498
	NOT-FOR-US: Drupal contrib module
CVE-2013-4490 [Remote code execution vulnerability in the SSH key upload feature]
	- gitlab <itp> (bug #651606)
CVE-2013-4489 [Remote code execution vulnerability in the code search feature]
	- gitlab <itp> (bug #651606)
CVE-2013-4488
	- libgadu <unfixed> (unimportant)
CVE-2013-4472 [Race condition on temporary file]
	- poppler <unfixed> (unimportant)
CVE-2013-4471 [password reset vulnerability]
	- horizon 2013.2-1
CVE-2013-4468
	NOT-FOR-US: VICIDIAL
CVE-2013-4467
	NOT-FOR-US: VICIDIAL
CVE-2013-4463 [Compressed disk image DoS]
	- nova 2013.2-3 (bug #728605)
CVE-2013-4462
	NOT-FOR-US: WordPress plugin
CVE-2013-4455
	NOT-FOR-US: Katello
CVE-2013-4454
	NOT-FOR-US: WordPress plugin
CVE-2013-4451 [world writable files]
	- gitolite <not-affected> (vulnerable code introduced for v3.5.3)
CVE-2013-4449 [slapd segfaults on certain queries with rwm overlay enabled]
	- openldap <unfixed> (low; bug #729367)
CVE-2013-4442 [Silent fallback to insecure entropy]
	- pwgen <unfixed> (unimportant; bug #726578)
CVE-2013-4441 [Phonemes mode has heavy bias and is enabled by default]
	- pwgen <unfixed> (unimportant; bug #726578)
CVE-2013-4440 [non-tty passwords are trivially weak by default]
	- pwgen <unfixed> (unimportant; bug #726578)
CVE-2013-4433 [xhprof: unspecified XSS]
	- xhprof 0.9.4-1 (bug #726284)
CVE-2013-4432 [a group member with no access rights to folder can still view it]
	- mahara <removed> (low; bug #727539)
CVE-2013-4431 [Not checking ownership of blocks before editing them]
	- mahara <removed> (low; bug #727552)
CVE-2013-4430
	- mahara <removed> (unimportant; bug #727548)
CVE-2013-4429 [Arbitrary image download]
	- mahara <removed> (low; bug #727545)
CVE-2013-4427 [pyxtrlock Incorrect return value checking]
	NOT-FOR-US: pyxtrlock
CVE-2013-4426 [pyxtrlock mis-spelled variable name]
	NOT-FOR-US: pyxtrlock
CVE-2013-4420 [tar_extract_glob and tar_extract_all path prefix directory traversal]
	- libtar <unfixed> (bug #731860)
CVE-2013-4413 [arbitrary files read]
	NOT-FOR-US: Wicked Ruby Gem
CVE-2013-4412 [NULL ptr dereference]
	- slim <unfixed> (bug #725902)
CVE-2013-4411
	- reviewboard <itp> (bug #653113)
CVE-2013-4410
	- reviewboard <itp> (bug #653113)
CVE-2013-4409 [unsanitized eval() vulnerability]
	- djblets <removed> (low; bug #726039)
CVE-2013-4406
	NOT-FOR-US: Quick Tabs Drupal contributed module
CVE-2013-4399 [unprivileged user can crash libvirtd when ACLs are enabled]
	- libvirt 1.1.4-1
CVE-2013-4395
	NOT-FOR-US: Simple Machines Forum
CVE-2013-4383
	NOT-FOR-US: Drupal module
CVE-2013-4380
	NOT-FOR-US: Drupal module
CVE-2013-4367
	NOT-FOR-US: ovirt
CVE-2013-4357 [getaddrinfo() stack overflow]
	- eglibc <unfixed>
CVE-2013-4347 [Uses poor PRNG]
	- python-oauth2 <unfixed> (low; bug #722657)
CVE-2013-4346 [_check_signature() ignores the nonce value when validating signed urls]
	- python-oauth2 <unfixed> (low; bug #722656)
CVE-2013-4337
	NOT-FOR-US: Drupal module
CVE-2013-4336
	NOT-FOR-US: Drupal module
CVE-2013-4335
	NOT-FOR-US: opOpenSocialPlugin
CVE-2013-4334
	NOT-FOR-US: opWebAPIPlugin
CVE-2013-4333
	NOT-FOR-US: OpenPNE
CVE-2013-4331 [incorrect .Xauthority permissions]
	- lightdm 1.6.2-1 (bug #721744)
CVE-2013-4321 [TYPO3 File Abstraction Layer: Remote Code Execution]
	- typo3-src <not-affected> (All versions from 6.0.0 up to the development branch of 6.2)
CVE-2013-4320 [TYPO3 Core: Cross-Site Scripting, Remote Code Execution]
	- typo3-src <not-affected> (All versions from 6.0.0 up to the development branch of 6.2)
CVE-2013-4318
	NOT-FOR-US: Ruby gem Features
CVE-2013-4304 [mediawiki CentralAuth auth bypass]
	NOT-FOR-US: Mediawiki CentralAuth extension
CVE-2013-4303 [mediawiki XSS with IE6]
	- mediawiki 1:1.19.8+dfsg-1 (unimportant)
CVE-2013-4290 [stack-based buffer overflows]
	- openjpeg <unfixed> (bug #722540)
CVE-2013-4289 [heap-based buffer overflows]
	- openjpeg <unfixed> (bug #722540)
CVE-2013-4279
	- imapsync <removed>
CVE-2013-4275
	NOT-FOR-US: Drupal contributed module Zen
CVE-2013-4273
	NOT-FOR-US: Drupal contributed module Entity API
CVE-2013-4269
	- ajaxplorer <itp> (bug #668381)
CVE-2013-4268
	- ajaxplorer <itp> (bug #668381)
CVE-2013-4267
	- ajaxplorer <itp> (bug #668381)
CVE-2013-4262 [svnwcsub.py and irkerbridge.py are vulnerable to symlink attack]
	- subversion <not-affected> (Optional admin-side utilities in Subversion 1.8.x)
CVE-2013-4251 [weave /tmp and current directory issues]
	- python-scipy 0.12.0-3 (bug #726093)
CVE-2013-4250 [Vulnerable subcomponent: Backend File Upload / File Abstraction Layer]
	- typo3-src <not-affected> (All versions from 6.0.0 up to the development branch of 6.2)
CVE-2013-4246 [FSFS repository corruption due to editing packed revision properties]
	- subversion <not-affected> (only affects 1.8.0 and 1.8.1)
CVE-2013-4241
	NOT-FOR-US: WordPress plugin HMS Testimonials
CVE-2013-4240
	NOT-FOR-US: WordPress plugin HMS Testimonials
CVE-2013-4228
	NOT-FOR-US: Organic Group Drupal contributed module
CVE-2013-4227
	NOT-FOR-US: Persona Drupal contributed module
CVE-2013-4226
	NOT-FOR-US: Authenticated User Page Caching Drupal contributed module
CVE-2013-4225
	NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module
CVE-2013-4224
	NOTE: Dublicate of CVE-2013-4187, thus rejected
CVE-2013-4223 [nullmailer world readable /etc/nullmailer/remotes]
	- nullmailer 1:1.11-2 (low; bug #684619)
CVE-2013-4215 [IPXPING_COMMAND uses fixed location in /tmp]
	- nagios-plugins <unfixed> (unimportant)
CVE-2013-4211
	NOT-FOR-US: OpenX
CVE-2013-4209 [ABRT: (substantially) limited leak of unauthorized information]
	NOT-FOR-US: NOT-FOR-US: abrt is Red Hat / Fedora specific
CVE-2013-4201 [Katello: CLI - user without access can call "system remove_deletion" command]
	NOT-FOR-US: Katello
CVE-2013-4199 [plone: DoS by decompressing large zip archives (cb_decode.py, linkintegrity.py)]
	NOT-FOR-US: Plone
CVE-2013-4198 [plone: Authenticated users able to alter their password despite of policy definition / setting prohibiting it (mail_password.py)]
	NOT-FOR-US: Plone
CVE-2013-4197 [plone: Authenticated users able to modify / delete portraits of other users (member_portrait.py)]
	NOT-FOR-US: Plone
CVE-2013-4196 [plone: Multiple information exposure flaws via certain object methods (objectmanager.py)]
	NOT-FOR-US: Plone
CVE-2013-4195 [plone: Open redirect in the HTTP server implementation (marmoset_patch.py, publish.py, principiaredirect.py)]
	NOT-FOR-US: Plone
CVE-2013-4194 [plone: File system path exposure (wysiwyg.py)]
	NOT-FOR-US: Plone
CVE-2013-4193 [plone: Anonymous users capable to hide certain fields from content edit forms (typeswidget.py)]
	NOT-FOR-US: Plone
CVE-2013-4192 [plone: Ability to spoof emails (sendto.py)]
	NOT-FOR-US: Plone
CVE-2013-4191 [plone: Information exposure due improper access control enforcement when generating zip archives (zip.py)]
	NOT-FOR-US: Plone
CVE-2013-4190 [plone: Multiple cross-site scripting (XSS) flaws (spamProtect.py, pts.py, request.py)]
	NOT-FOR-US: Plone
CVE-2013-4189 [plone: Privilege escalation due improper authorization (dataitems.py, get.py, traverseName.py)]
	NOT-FOR-US: Plone
CVE-2013-4188 [plone: DoS (infinite loop) by administrator privilege users when retrieving information for certain resources (traverser.py)]
	NOT-FOR-US: Plone
CVE-2013-4187 [Access Bypass]
	NOT-FOR-US: Flippy Contributed Drupal module
CVE-2013-4184 [symlink attacks]
	- libdata-uuid-perl <unfixed> (low; bug #718949)
CVE-2013-4178
	NOT-FOR-US: GA Login Drupal contributed module
CVE-2013-4177
	NOT-FOR-US: GA Login Drupal contributed module
CVE-2013-4176 [information disclosure]
	NOT-FOR-US: MySecureShell
CVE-2013-4175 [local denial of service]
	NOT-FOR-US: MySecureShell
CVE-2013-4168 [start and end time fields not filtered]
	- smokeping 2.6.8-2
CVE-2013-4166 [problem in GPG key selection when encrypting mail]
	- evolution <unfixed> (unimportant)
CVE-2013-4161
	- gksu-polkit <not-affected> (CVE for improperly applied fix for CVE-2012-5617 on Red Hat)
CVE-2013-4158
	- smokeping <not-affected> (fix for CVE-2012-0790/DSA-2651-1 uses regexp from 2.6.9 upstream release)
CVE-2013-4152 [XML External Entity (XXE) injection flaw]
	{DSA-2842-1}
CVE-2013-4143
	NOT-FOR-US: xlockmore
CVE-2013-4133 [memory leak]
	- kde-workspace 4:4.10.5-3 (unimportant; bug #717180)
CVE-2013-4119
	- freerdp <not-affected> (The server part is not build)
CVE-2013-4118
	- freerdp <not-affected> (The server part is not build)
CVE-2013-4116 [npm: predictable temporary filenames when unpacking tarballs]
	- npm 1.3.10~dfsg-1 (bug #715325)
CVE-2013-4110
	NOT-FOR-US: Cryptocat
CVE-2013-4109
	NOT-FOR-US: Cryptocat
CVE-2013-4108
	NOT-FOR-US: Cryptocat
CVE-2013-4107
	NOT-FOR-US: Cryptocat
CVE-2013-4106
	NOT-FOR-US: Cryptocat
CVE-2013-4105
	NOT-FOR-US: Cryptocat
CVE-2013-4104
	NOT-FOR-US: Cryptocat
CVE-2013-4103
	NOT-FOR-US: Cryptocat
CVE-2013-4102
	NOT-FOR-US: Cryptocat
CVE-2013-4101
	NOT-FOR-US: Cryptocat
CVE-2013-4100
	NOT-FOR-US: Cryptocat
CVE-2013-4088 [Information Disclosure]
	{DSA-2712-1}
CVE-2013-3843
	- monkey <removed>
CVE-2013-3734 [Datasource password visible to administrator]
	NOT-FOR-US: Embedded Jopr
CVE-2013-3729
	NOT-FOR-US: Kasseler CMS
CVE-2013-3728
	NOT-FOR-US: Kasseler CMS
CVE-2013-3727
	NOT-FOR-US: Kasseler CMS
CVE-2013-3718 [evince missing check on number of pages]
	- evince 3.10.0-1
CVE-2013-3703
	NOT-FOR-US: Open Build Service
CVE-2013-3685
	NOT-FOR-US: Sprite Software's backup softare for Android
CVE-2013-3587 [BREACH attack against HTTP compression]
	TODO: check
CVE-2013-3571 [FD leak]
	- socat 1.7.1.3-1.5 (low; bug #709931)
CVE-2013-3565 [XSS in HTTP Interface]
	- vlc 2.0.7-1 (unimportant)
CVE-2013-3551
	{DSA-2696-1}
CVE-2013-3514
	NOT-FOR-US: OpenX
CVE-2013-2764
	NOT-FOR-US: Secure Entry Server
CVE-2013-2758
	NOT-FOR-US: CloudStack
CVE-2013-2756
	NOT-FOR-US: CloudStack
CVE-2013-2745 [SQL Injection]
	- minidlna <unfixed> (low; bug #717131)
CVE-2013-2739 [heap-based buffer overflow]
	- minidlna <unfixed> (low; bug #717131)
CVE-2013-2738 [SQL Injection]
	- minidlna <unfixed> (low; bug #717131)
CVE-2013-2625
	- otrs2 3.1.7+dfsg1-8
CVE-2013-2623
	NOT-FOR-US: Uebimiau Webmail
CVE-2013-2622
	NOT-FOR-US: Uebimiau Webmail
CVE-2013-2621
	NOT-FOR-US: Uebimiau Webmail
CVE-2013-2600 [MiniUPnPd information disclosure]
	- miniupnpd 1.8.20130730-1 (bug #716936)
CVE-2013-2595
	NOT-FOR-US: Qualcomm MSM Camera driver
CVE-2013-2574
	NOT-FOR-US: Foscam
CVE-2013-2565
	NOT-FOR-US: Mambo CMS
CVE-2013-2564
	NOT-FOR-US: Mambo CMS
CVE-2013-2563
	NOT-FOR-US: Mambo CMS
CVE-2013-2562
	NOT-FOR-US: Mambo CMS
CVE-2013-2298
	- boinc 7.0.65+dfsg-1 (low)
CVE-2013-2294
	NOT-FOR-US: ViewGit
CVE-2013-2262
	NOT-FOR-US: Cryptocat
CVE-2013-2261
	NOT-FOR-US: Cryptocat
CVE-2013-2260
	NOT-FOR-US: Cryptocat
CVE-2013-2259
	NOT-FOR-US: Cryptocat
CVE-2013-2258
	NOT-FOR-US: Cryptocat
CVE-2013-2257
	NOT-FOR-US: Cryptocat
CVE-2013-2255 [Inconsistent and non-validating HTTPS client]
	- cinder <unfixed>
CVE-2013-2233 [not caching SSH host keys]
	- ansible 1.3.4+dfsg-1 (bug #714822)
CVE-2013-2228 [RSA exponent of 1]
	- salt 0.15.1-1
CVE-2013-2227 [local file inclusion]
	- glpi 0.83.91-1 (bug #714720; unimportant)
CVE-2013-2226 [Multiple SQL injections]
	- glpi 0.83.91-1 (bug #714720; unimportant)
CVE-2013-2225
	- glpi 0.83.91-1 (bug #714720; unimportant)
CVE-2013-2214 [nagios3: information leak]
	- nagios3 3.4.1-4 (low)
CVE-2013-2213 [KRandom::random() Small Space of Random Values]
	- kdeplasma-addons <not-affected> (only affects if incomplete patch for CVE-2013-2120 is applied)
CVE-2013-2198
	NOT-FOR-US: Login Security Drupal contributed module
CVE-2013-2193 [Apache HBase Man in the Middle Vulnerability]
	NOT-FOR-US: Apache HBase
CVE-2013-2192 [Apache Hadoop Man in the Middle Vulnerability]
	NOT-FOR-US: Apache Hadoop
CVE-2013-2191
	NOT-FOR-US: python-bugzilla
CVE-2013-2184 [unsafe use of Storable::thaw]
	- movabletype-opensource 5.2.7+dfsg-1 (bug #712602)
CVE-2013-2183
	- monkey <removed> (low)
CVE-2013-2182 [monkey security rules bypass]
	- monkey <removed> (low)
CVE-2013-2180
	NOT-FOR-US: uk-cookie Wordpress plugin, not in Debian
CVE-2013-2167 [middleware memcache signing bypass]
	- python-keystoneclient 1:0.2.5-2 (bug #713819)
CVE-2013-2166 [middleware memcache encryption bypass]
	- python-keystoneclient 1:0.2.5-2 (bug #713819)
CVE-2013-2163 [monkey denial of service]
	- monkey <removed> (low)
CVE-2013-2159 [monkey broken authentication]
	- monkey <removed>
CVE-2013-2150 [XSS vulnerability in js/viewer.js]
	- owncloud <not-affected> (affects only experimental version)
CVE-2013-2149 [XSS vulnerability in core/js/oc-dialogs.js]
	- owncloud 4.0.16debian-1 (bug #711517)
CVE-2013-2131 [format string vulnerability]
	- rrdtool <unfixed> (unimportant; bug #708866)
CVE-2013-2130 [null pointer dereference in webadmin]
	- znc 1.0-5 (bug #720632)
CVE-2013-2125 [DoS in TLS Support]
	- opensmtpd 5.3.3p1-1
CVE-2013-2124 [libguestfs: DoS due to a double-free when inspecting certain guest files]
	- libguestfs 1:1.20.8-1 (bug #710290)
CVE-2013-2120 [weak generated passwords]
	- kdeplasma-addons <unfixed> (low; bug #710497)
CVE-2013-2111 [DoS (daemon hang) when parsing invalid IMAP APPEND command parameters]
	- dovecot <not-affected> (vulnerable code appeared in 2.2)
CVE-2013-2109
	NOT-FOR-US: WordPress plugin wp-cleanfix
CVE-2013-2108
	NOT-FOR-US: WordPress plugin wp-cleanfix
CVE-2013-2107
	NOT-FOR-US: WordPress plugin mail-on-update
CVE-2013-2106 [Authentication credential disclosure]
	- webauth <not-affected> (vulnerable code only in 4.4.1 up to 4.5.2)
CVE-2013-2105
	NOT-FOR-US: Show In Browser Ruby Gem
CVE-2013-2100
	NOT-FOR-US: Gentoo Portage binary package installer
CVE-2013-2097 [zPanel themes remote command execution as root]
	NOT-FOR-US: zPanel
CVE-2013-2093
	- dolibarr 3.3.4-1 (high)
CVE-2013-2092
	- dolibarr 3.3.4-1
CVE-2013-2091
	- dolibarr 3.3.4-1
CVE-2013-2090 [Remote command Injection]
	NOT-FOR-US:  Creme Fraiche Ruby Gem
CVE-2013-2089 [owncloud: oC-SA-2013-026]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2087 [gallery: multiple xss]	
	- gallery <not-affected> (Vulnerable code not present)
CVE-2013-2086 [owncloud: oC-SA-2013-027]
	- owncloud <not-affected> (Only owncloud 5.0.x)
CVE-2013-2085 [owncloud: oC-SA-2013-020]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2075
	- chicken <not-affected> (Incomplete fix was never applied)
CVE-2013-2074 [prints passwords contained in HTTP URLs in error messages]
	- kde4libs 4:4.10.5-1 (low; bug #707776)
CVE-2013-2073 [Does not validate HTTPS server certificate]
	- transifex-client 0.9-1 (low)
CVE-2013-2060
	NOT-FOR-US: OpenShift
CVE-2013-2057
	NOT-FOR-US: YaBB
CVE-2013-2049
	NOT-FOR-US: CloudForms Management Engine
CVE-2013-2048 [owncloud: oC-SA-2013-025]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2047 [owncloud: oC-SA-2013-023]
	- owncloud <not-affected> (Only 5.0.x)
CVE-2013-2046 [owncloud: oC-SA-2013-019]
	- owncloud <not-affected> (Only affects 4.5.x)
CVE-2013-2045 [owncloud: oC-SA-2013-019]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2044 [owncloud: oC-SA-2013-022]
	- owncloud <not-affected> (Only 5.0.x)
CVE-2013-2043 [owncloud: oC-SA-2013-024]
	- owncloud <not-affected> (Only 5.0.x and 4.5.x)
CVE-2013-2042 [owncloud: oC-SA-2013-021]
	- owncloud 4.0.15debian-1
CVE-2013-2041 [owncloud: oC-SA-2013-021]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2040 [owncloud: oC-SA-2013-021]
	- owncloud 4.0.15debian-1
CVE-2013-2039 [owncloud: oC-SA-2013-020]
	- owncloud 4.0.15debian-1
CVE-2013-2038 [DoS (packet parser crash) in the AIS driver when processing malformed packet]
	- gpsd 3.6-5 (bug #706665)
CVE-2013-2034 [jenkins CSRF]
	- jenkins 1.509.2+dfsg-1 (bug #706725)
CVE-2013-2033 [jenkins XSS]
	- jenkins 1.509.2+dfsg-1 (bug #706725)
CVE-2013-2025
	NOT-FOR-US: Ushahidi
CVE-2013-2024 [OS command injection vulnerability in Chicken Scheme]
	- chicken 4.8.0.3-1 (bug #706525)
CVE-2013-2019 [stack overflow vulnerabilities in the XML parser]
	- boinc 6.13.6+dfsg-1 (low)
CVE-2013-2018 [SQL injections in the server-side scheduler code]
	- boinc 7.0.65+dfsg-1 (low)
CVE-2013-2016 [qemu: virtio: out-of-bounds config space access]
	- qemu 1.5.0+dfsg-1 (bug #710822)
CVE-2013-2014 [no limitation for requests and headers size which can cause a crash]
	- keystone 2013.1.1-2 (bug #708515)
CVE-2013-2012 [autojump profile will load random stuff from a directory called custom_install]
	- autojump <not-affected> (vulnerable code not present for unstable)
CVE-2013-2011
	NOT-FOR-US: WP Super Cache
CVE-2013-2010
	NOT-FOR-US: W3 Total Cache
CVE-2013-2009
	NOT-FOR-US: WP Super Cache
CVE-2013-2008
	NOT-FOR-US: WP Super Cache
CVE-2013-1980
	- xmp 3.4.0-3 (low; bug #706667)
CVE-2013-1973
	NOT-FOR-US: Drupal contributed module
CVE-2013-1967 [mediaelement flashmediaelement XSS]
	- owncloud <not-affected> (Vulnerable code not present)
CVE-2013-1963
	- owncloud <not-affected> (Vulnerable code not present)
CVE-2013-1951
	- mediawiki 1:1.19.5-1
CVE-2013-1946
	NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module
CVE-2013-1941 [Postgre: Insecure database password generator]
	- owncloud 5.0.4~rc1+dfsg-1
CVE-2013-1939 [Windows: Local file disclosure]
	- owncloud <not-affected> (Windows version only)
CVE-2013-1938
	NOT-FOR-US: Zimbra
CVE-2013-1934 [mantis: XSS issue in adm_config_report.php when displaying complex value]
	- mantis <removed> (low; bug #717482)
CVE-2013-1932 [mantis: XSS vulnerability on Configuration Report page]
	- mantis <not-affected> (affects Mantis 1.2.13 only)
CVE-2013-1931 [mantis: XSS vulnerability when deleting a version]
	- mantis <not-affected> (affects Mantis 1.2.14 only)
CVE-2013-1930 [mantis: Close button available to users despite workflow restrictions]
	- mantis <not-affected> (affects only Mantis 1.2.12 and later)
CVE-2013-1924
	NOT-FOR-US: Commerce Skrill Drupal module
CVE-2013-1916
	NOT-FOR-US: WordPress plugin
CVE-2013-1910 [Not removing bad metadata and using it in next run]
	- yum <unfixed> (unimportant)
CVE-2013-1904 [roundcube variable overwrite]
	- roundcube 0.7.2-9
CVE-2013-1895 [concurrency issue leading to auth bypass]
	- python-bcrypt <removed> (bug #704030)
CVE-2013-1893
	- owncloud <not-affected> (only affecting 5.0 branch)
CVE-2013-1890
	- owncloud <not-affected> (only affecting 5.0 branch)
CVE-2013-1889
	- libapache2-mod-ruid2 0.9.8-1 (low; bug #704066)
CVE-2013-1886
	NOT-FOR-US: Red Hat Certificate System
CVE-2013-1885
	NOT-FOR-US: Red Hat Certificate System
CVE-2013-1883 [mantis: remote DoS]
	- mantis <not-affected> (only affects 1.2.12 to 1.2.14)
CVE-2013-1880 [XSS vulnerability in portfolioPublish demo application]
	- activemq <not-affected> (portfolio demo app not shipped in Debian package)
CVE-2013-1874 [Chicken Scheme: code execution]
	- chicken 4.8.0.3-1 (low; bug #702410)
CVE-2013-1864 [Ekiga billion laughs flaw in ptlib]
	NOTE: http://www.openwall.com/lists/oss-security/2013/03/15/6
CVE-2013-1853 [Almanah doesn't encrypt the database]
	- almanah 0.9.1-1 (bug #702905)
CVE-2013-1851 [user_migrate: Local file disclosure]
	- owncloud 4.0.8debian-1.6 (bug #703094)
CVE-2013-1850 [Contacts: Bypass of file blacklist]
	- owncloud 4.0.8debian-1.6 (bug #703094)
CVE-2013-1841 [Reverse lookup issue in Net::Server]
	- libnet-server-perl <unfixed> (low; bug #702914)
CVE-2013-1822
	- owncloud <not-affected> (owncloud stable4 (4.0.x) is not affected) 
CVE-2013-1820
	NOT-FOR-US: tuned (RH-specific powersaving tool)
CVE-2013-1818 [mediawiki mwdoc-filter.php information disclosure]
	- mediawiki <not-affected> (mwdoc-filter.php introduced in 1.20)
CVE-2013-1817 [mediawiki information disclosure in unblock API]
	- mediawiki 1:1.19.4-1 (bug #702305)
CVE-2013-1816 [mediawiki insecure curl usage]
	- mediawiki 1:1.19.4-1
CVE-2013-1811 [Reporter can change issue status to 'new']
	- mantis <removed> (low; bug #698481)
CVE-2013-1810 [summary.php category/project names XSS vulnerability]
	- mantis <not-affected> (only affects MantisBT 1.2.12)
CVE-2013-1809 [Gambas creates hijackable directory in /tmp]
	- gambas3 3.5.1-1 (low; bug #702184)
CVE-2013-1771 [monkey: world-readable logdir]
	- monkey <removed> (low)
CVE-2013-1770 [XSS issues in views_view.php]
	- ganglia <unfixed> (low; bug #700158)
CVE-2013-1764
	- packagekit <not-affected> (Zypp backend specific to SuSE)
CVE-2013-1753
	- python2.5 <removed> (low)
CVE-2013-1752
	- python2.5 <removed> (low)
CVE-2013-1751
	- twiki <removed>
CVE-2013-1689
	[wheezy] - iceape <end-of-life>
CVE-2013-1666
	- foswiki <itp> (bug #509864)
CVE-2013-1470 [XSS in geeklog]
	NOTE: There was a RFP long time ago, bug #203818
CVE-2013-1437 [Code execution when gathering version metadata]
	- perl 5.18.1-2
CVE-2013-1436 [code injection]
	- xmonad-contrib 0.11.2-1 (low)
CVE-2013-1429 [Lintian unsafe symlinks]
	- lintian 2.5.10.5 (bug #705553; unimportant)
CVE-2013-1426 [mahara: stored XSS in tinyMCE editor]
	- mahara <removed>
CVE-2013-1425 [ldap-git-backup: Incorrect directory permissions exposes password hashes]
	- ldap-git-backup 1.0.4-1 (bug #699227)
CVE-2013-0243 [Basic constraints vulnerability]
	- haskell-tls-extra 0.4.6.1-1 (bug #698545)
CVE-2013-1376
	NOT-FOR-US: Adobe Reader
CVE-2013-0870 [libavcodec/vp3.c: 14c8ee00ffd9d45e6e0c6f11a957ce7e56f7eb3a]
	- ffmpeg <not-affected> (No threading support in vp3 from ffmpeg 0.5)
CVE-2013-0350 [writes content from TCP streams to public readable file /tmp/smtp.log]
	- pktstat 1.8.5-3 (bug #701211)
CVE-2013-0347 [webfs world-readable logdir]
	- webfs 1.21+ds1-9 (low; bug #701638)
CVE-2013-0346 [tomcat world-readable logdir]
	- tomcat6 <not-affected> (Log files are owned by tomcat:tomcat)
CVE-2013-0345 [varnish world-readable logdir]
	- varnish <not-affected> (Logfiles are owned by varnishlog:varnishlog)
CVE-2013-0342 [CreateID() creates serialized packet IDs for RADIUS]
	- pyrad <unfixed> (low; bug #701151)
CVE-2013-0336 [DoS when connecting with a missing username/dn]
	- 389-ds-base <unfixed> (bug #704077)
CVE-2013-0326
	- nova <unfixed> (low)
CVE-2013-0307 [XSS vulnerability]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0303 [Multiple code executions]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0301 [Multiple CSRF vulnerabilities]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0300 [Multiple CSRF vulnerabilities]
	- owncloud <not-affected> (Vulnerably code not present, only affects 4.5 branch)
CVE-2013-0299 [Multiple CSRF vulnerabilities]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0298 [XSS vulnerability]
	- owncloud <not-affected> (Vulnerably code not present, only affects 4.5 branch)
CVE-2013-0297 [XSS vulnerability]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0296 [creates temp files with too wide permissions]
	- pigz 2.2.4-2 (low; bug #700608)
CVE-2013-0294 [potentially predictable password hashing]
	- pyrad 2.0-2 (low; bug #700669)
CVE-2013-0293 [Lock screen accepts F2 to drop to shell]
	- ovirt-node <itp> (bug #502024)
CVE-2013-0289 [missing SSL subject verification]
	- isync 1.0.4-2.2 (low; bug #701052)
CVE-2013-0267
	NOT-FOR-US: Apache VCL
CVE-2013-0264
	NOT-FOR-US: Cumin
CVE-2013-0250 [corosync: Remote DoS due improper HMAC initialization]
	- corosync <not-affected> (Introduced in v1.99.8-2-ge925f42; bug #699615)
CVE-2013-0234
	- elgg <itp> (bug #526197)
CVE-2013-0204 [Code execution in external storage]
	- owncloud <not-affected> (Vulnerably code not present, only affects 4.5 branch)
CVE-2013-0203 [XSS vulnerabilities]
	- owncloud 4.0.8debian-1.4 (bug #698737)
CVE-2013-0202 [XSS vulnerabilities]
	- owncloud 4.0.8debian-1.4 (bug #698737)
CVE-2013-0201 [XSS vulnerabilities]
	- owncloud 4.0.8debian-1.4 (bug #698737)
CVE-2013-0199
	NOT-FOR-US: FreeIPA
CVE-2013-0197 [XSS vulnerability with match_type filter]
	- mantis <not-affected> (This only affects the 1.2.12 version, which isn't present in Debian, bug #698481)
CVE-2013-0195 [Unspecified XSS]
	- piwik <itp> (bug #506933)
CVE-2013-0194 [Unspecified XSS]
	- piwik <itp> (bug #506933)
CVE-2013-0193 [Unspecified XSS]
	- piwik <itp> (bug #506933)
CVE-2013-0192
	NOT-FOR-US: Simple Machines Forum
CVE-2013-0191 [pam-pgsql NULL password handling issue]
	- pam-pgsql 0.7.3.1-4 (bug #698241)
CVE-2013-0185
	NOT-FOR-US: ManageIQ EVM (CloudForms)
CVE-2013-0178 [redis 2.4: Insecure temporary flaw use for redis service's vm swap file]
	- redis 2:2.6.0-1 (low)
CVE-2013-0177
	NOT-FOR-US: OFBiz
CVE-2013-0161
	NOT-FOR-US: Havalite CMS
CVE-2013-0159
	NOT-FOR-US: Fedora build script

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ