CVE-2012-6619 [MongoDB memory over-read via incorrect BSON object length] - mongodb 1:2.4.1-1 CVE-2012-6110 [bcron file descriptors not closed] - bcron 0.09-13 (low; bug #686650) CVE-2012-6345 NOT-FOR-US: CyberArk Vault CVE-2012-6344 NOT-FOR-US: CyberArk Vault CVE-2012-6342 NOT-FOR-US: Atlassian Confluence CVE-2012-6146 [Backend History Module Information Disclosure] {DSA-2574-1} CVE-2012-6143 [Storable::thaw called on untrusted inputs] - libspoon-perl (bug #715371; low) CVE-2012-6142 [Storable::thaw called on untrusted inputs] NOT-FOR-US: HTML-EP CPAN module CVE-2012-6141 [Storable::thaw called on untrusted inputs] NOT-FOR-US: App-Context CPAN module CVE-2012-6136 NOT-FOR-US: tuned (RH-specific powersaving tool) CVE-2012-6135 - ruby-passenger (Vulnerable code not present; bug #702219) CVE-2012-6133 [XSS flaws in ok and error messages] - roundup 1.4.20-1 CVE-2012-6132 [XSS flaw with the otk parameter] - roundup 1.4.20-1 CVE-2012-6131 [XSS flaw in @action parameter] - roundup 1.4.20-1 CVE-2012-6130 [XSS vulnerability when usernames contain HTML] - roundup 1.4.20-1 CVE-2012-6125 - chicken 4.8.0-1 (low; bug #702410) CVE-2012-6124 - chicken 4.8.0-1 (low; bug #702410) CVE-2012-6123 - chicken 4.8.0-1 (low; bug #702410) CVE-2012-6122 - chicken 4.8.0.3-1 (low; bug #702410) CVE-2012-6114 [temp file vulnerability in git-extras] - git-extras 1.7.0-1.2 (bug #698490) CVE-2012-6111 [gnome-keyring does not discard stored secrets in some cases] - gnome-keyring 3.8.2-1 (low; bug #697896) CVE-2012-6108 [default permissions for /var/log/hp are too open] - hplip (permissions are 755 on wheezy, sid and experimental) CVE-2012-6107 [Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate] - axis2c (bug #697974) CVE-2012-6094 - cups (systemd patch not applied in Debian, see bug #697584) CVE-2012-6086 [zabbix insecure curl usage] - zabbix 1:2.0.7+dfsg-1 (bug #697443) CVE-2012-6083 - freeciv 2.3.4-1 (low; bug #696306) CVE-2012-6079 NOT-FOR-US: W3 Total Cache CVE-2012-6078 NOT-FOR-US: W3 Total Cache CVE-2012-6077 NOT-FOR-US: W3 Total Cache CVE-2012-6071 [libnusoap-php: Curl insecure usage] - nusoap 0.7.3-5 (low; bug #696707) CVE-2012-6070 [falconpl: Curl insecure usage] - falconpl 0.9.6.9-git20120606-2 (bug #696681) CVE-2012-5844 - openjdk-6 (JavaFX not part of OpenJDK) CVE-2012-5663 NOT-FOR-US: Isearch CVE-2012-5662 - ibm-3270 (bug #706547) CVE-2012-5650 [DOM based XSS via Futon UI] - couchdb 1.2.0-5 (bug #698439) CVE-2012-5649 [JSONP arbitrary code execution with Adobe Flash] - couchdb 1.2.0-5 (bug #698439) CVE-2012-5645 - freeciv 2.3.4-1 (low; bug #696306) CVE-2012-5644 [(Complete) Information disclosure when moving user's home directory] - libuser (low; bug #705690) CVE-2012-5641 - couchdb (Only affects CouchDB on Windows) CVE-2012-5640 [thttpd: Local DoS vulnerability] - thttpd (low) CVE-2012-5639 - libreoffice (unimportant) CVE-2012-5631 NOT-FOR-US: FreeIPA CVE-2012-5630 [TOCTOU race conditions by copying and removing directory trees] - libuser (low; bug #705690) CVE-2012-5628 NOT-FOR-US: gofer component of PULP project CVE-2012-5623 NOT-FOR-US: change_passwd plugin for Squirrelmail CVE-2012-5621 [Ekiga (x < 4.0.0): DoS (crash) after receiving call from other party with not UTF-8 valid name] - ekiga 3.2.7-6 (bug #702282; low) CVE-2012-5620 NOT-FOR-US: Docecot non-issue, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695138#15 CVE-2012-5619 - sleuthkit (unimportant; bug #695097) CVE-2012-5618 NOT-FOR-US: Ushahidi CVE-2012-5617 [privilege escalation due to improper authentication settings in policykit configuration file] - gksu-polkit (bug #695807) CVE-2012-5583 [phpcas curl usage] - php-cas 1.3.1-2 CVE-2012-5582 [opendnssec curl usage] - opendnssec (eppclient not built in Debian package) CVE-2012-5580 [libproxy: format string issue] - libproxy 0.3.1-4 (low) CVE-2012-5578 [Python keyring insecure permissions on new databases] - python-keyring 0.9.2-1.1 (bug #696736) CVE-2012-5577 [Python keyring insecure permissions on migrated files] - python-keyring 0.9.2-1.1 (bug #696736) CVE-2012-5572 [Dancer::Cookie: Cookie name CRLF injection] - libdancer-perl 1.3114+dfsg-1 (low; bug #694279) CVE-2012-5567 - kronolith2 (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid) CVE-2012-5566 - kronolith2 (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid) CVE-2012-5565 NOT-FOR-US: This doesn't seem to be packaged in sid's Horde and the imp3 and dimp1 packages from stable do not include the affected code CVE-2012-5560 NOT-FOR-US: MATE gnome fork CVE-2012-5535 - gnome-system-log (Fedora-specific issue) CVE-2012-5527 - claws-mail-extra-plugins 3.8.1-2 (unimportant; bug #693391) CVE-2012-5524 - gajim 0.15.4-1 (low; bug #693282) CVE-2012-5521 - quagga (unimportant; bug #693102) CVE-2012-5518 NOT-FOR-US: ovirt / vsdm CVE-2012-5508 [ Zope/Plone: PRNG isn't reseeded] - zope2.12 2.12.26-1 (bug #692899) CVE-2012-5507 [ Zope/Plone: Timing attack in password validation ] - zope2.12 2.12.26-1 (bug #692899) CVE-2012-5506 [ Zope/Plone: DoS through RSS on private folder ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5505 [ Zope/Plone: Attempting to access a view with no name returns an internal data structure ] - zope2.12 2.12.26-1 (bug #692899) CVE-2012-5504 [ Zope/Plone: Persistent XSS ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5503 [ Zope/Plone: Users connected through FTP can list hidden folder contents ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5502 [ Zope/Plone: Persistent XSS via filtering bypass ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5501 [ Zope/Plone: Crafted URL allows downloading of BLOBs that are not visible to the user ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5500 [ Zope/Plone: Anonymous users can batch change titles of content items ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5499 [ Zope/Plone: Partial denial of service through internal function ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5498 [ Zope/Plone: Partial denial of service through Collections functionality ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5497 [ Zope/Plone: Anonymous users can list user account names ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5496 [ Zope/Plone: DoS through unsanitised inputs into Kupu ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5495 [ Zope/Plone: Restricted Python injection ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5494 [ Zope/Plone: Reflexive XSS ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5493 [ Zope/Plone: Restricted Python sandbox escape ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5492 [ Zope/Plone: Partial permissions bypass ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5491 [ Zope/Plone: Form detail exposure ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5490 [ Zope/Plone: Reflexive XSS ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5489 [ Zope/Plone: Partial restricted Python sandbox escape ] - zope2.12 (bug #692899) CVE-2012-5488 [ Zope/Plone: Restricted Python injection ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5487 [ Zope/Plone: Restricted Python sandbox escape ] - zope2.12 (unimportant; bug #692899) CVE-2012-5486 [ Zope/Plone: Reflexive HTTP header injection ] - zope2.12 2.12.26-1 (bug #692899) CVE-2012-5485 [ Restricted Python injection ] NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5476 - horizon (File is installed with 0700 perms in Debian) CVE-2012-5474 - horizon 2012.1.1-7 CVE-2012-5395 NOT-FOR-US: Mediawiki extension CentralAuth CVE-2012-5391 - mediawiki 1:1.19.3-1 (bug #694998) CVE-2012-5390 [Possible privilege escalation] - condor (standard universe is disabled in the Debian package, see bug #697936) CVE-2012-5366 NOT-FOR-US: Mac OS X CVE-2012-5365 - kfreebsd-8 (low; bug #690986) CVE-2012-5364 NOT-FOR-US: Microsoft Windows CVE-2012-5363 - kfreebsd-8 (low; bug #690986) CVE-2012-5362 NOT-FOR-US: Microsoft Windows CVE-2012-5361 - ffmpeg CVE-2012-5360 - ffmpeg CVE-2012-5359 - ffmpeg CVE-2012-5241 NOT-FOR-US: PEAR module for Twitter CVE-2012-5236 [Admin can decrypt user files] - owncloud (low) CVE-2012-4410 NOTE: to be rejected CVE-2012-4576 [freebsd privilege escalation] - kfreebsd-8 8.3-6 (bug #694096) CVE-2012-4570 [sql injection] - php-letodms-core 3.3.8-1 CVE-2012-4569 [multiple xss in 3.3.9] - letodms 3.3.9+dfsg-1 CVE-2012-4568 [csrf] - letodms 3.3.9+dfsg-1 CVE-2012-4567 [multiple xss in 3.3.8] - letodms 3.3.9+dfsg-1 CVE-2012-4526 [XSS in password.php, incomplete fix for CVE-2012-4525] - piwigo (incomplete fix not applied to Debian package) CVE-2012-4525 [XSS in password.php] - piwigo CVE-2012-4524 [xlockmore bypass] - xlockmore (low) CVE-2012-4519 NOT-FOR-US: Zenphoto CVE-2012-4512 - kdebase (unimportant) CVE-2012-4480 NOT-FOR-US: mom CVE-2012-4451 [php-ZendFramework: XSS vectors in multiple Zend Framework components ZF2012-03] - zendframework (Vulnerable code introduced in 2.x, #688946) CVE-2012-4441 [jenkins XSS in CI game plugin] - jenkins (Plugin not built in Debian source package) CVE-2012-4440 [jenkins XSS in Violations plugin] - jenkins (Plugin not built in Debian source package) CVE-2012-4439 [jenkins XSS] - jenkins 1.447.2+dfsg-2 (bug #688298) CVE-2012-4438 [jenkins remote code execution] - jenkins 1.447.2+dfsg-2 (bug #688298) CVE-2012-4434 [fwknop 2.0.3: multiple DoS / code execution flaw] - fwknop 2.0.3-1 (bug #688151) CVE-2012-4428 - openslp-dfsg (bug #687597; low) CVE-2012-4420 [Duplicate of CVE-2012-4416] NOT-FOR-US: Duplicate of CVE-2012-4416 CVE-2012-4385 [letodms CSRF] - letodms 3.3.7+dfsg-1 (bug #689664) CVE-2012-4384 [letodms XSS] - letodms 3.3.7+dfsg-1 (bug #689664) CVE-2012-4383 NOT-FOR-US: Contao CVE-2012-4382 [Info leak in user blocks] - mediawiki 1:1.19.2-1 (bug #686330) CVE-2012-4381 [Passwords were stored in local DB even if auth systems like LDAP were used] - mediawiki 1:1.19.2-1 (bug #686330) CVE-2012-4380 [Insufficient API for account creation block] - mediawiki 1:1.19.2-1 (bug #686330) CVE-2012-4379 [CSRF] - mediawiki 1:1.19.2-1 (bug #686330) CVE-2012-4378 [DOM-based XSS] - mediawiki 1:1.19.2-1 (bug #686330) CVE-2012-4377 [[mediawiki stored XSS] - mediawiki 1:1.19.2-1 (bug #686330) CVE-2012-3543 - mono 2.10.8.1-7 (bug #686562) CVE-2012-3522 [geshi XSS in contrib/langwiz.php] - geshi (Vulnerable code not present, see bug #685323) CVE-2012-3521 [geshi information disclosure in contrib/cssgen.php] - geshi 1.0.8.4-2 (bug #685324) CVE-2012-3490 - condor 7.8.2~dfsg.1-1+deb7u1 (bug #688210) CVE-2012-3427 - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-3415 - plpupload (bug #668396) CVE-2012-3409 - ecryptfs-utils 99-1 (bug #682220) CVE-2012-3407 NOT-FOR-US: plow CVE-2012-3406 [glibc formatted printing vulnerabilities] - eglibc (low; bug #681888) CVE-2012-3405 [glibc formatted printing vulnerabilities] - eglibc 2.13-35 (low; bug #681473) CVE-2012-3404 [glibc formatted printing vulnerabilities] - eglibc 2.13-35 (low; bug #681473) CVE-2012-3359 NOT-FOR-US: Red Hat Conga CVE-2012-2979 [VU#517036: NSD 3.2.13 emergency release] - nsd3 (Debian version not affected) CVE-2012-2945 - hadoop (bug #535861) CVE-2012-2736 [NetworkManager: creating new WPA-secured wireless network results in insecure network being created instead] - network-manager 0.9.4.0-1 (low; bug #655972) CVE-2012-2724 NOT-FOR-US: Drupal module CVE-2012-2714 NOT-FOR-US: Drupal module CVE-2012-2663 - iptables (unimportant; bug #675445) CVE-2012-2656 [XXE vulnerability in Restlet] - restlet (bug #596472) CVE-2012-2350 [pam_shield default configuration does not take any action] - pam-shield 0.9.2-3.3 (low; bug #658830) CVE-2012-2328 NOT-FOR-US: sblim CVE-2012-2312 - jbossas4 (Only affects JBoss 7) CVE-2012-2301 [Drupal SA-CONTRIB-2012-064 - Ubercart - Arbitrary PHP Execution] NOT-FOR-US: Drupal addon not packaged CVE-2012-2250 - tor 0.2.3.24-rc-1 (low) CVE-2012-2249 - tor 0.2.3.23-rc-1 (low) CVE-2012-2248 [build-influenced PATH set in dhclient] - isc-dhcp 4.2.4-3 (bug #690532) CVE-2012-2238 - tryton-server (only affected 2.4, in experimental) CVE-2012-2237 {DSA-2540-1} CVE-2012-2095 [wicd command execution with root privileges] - wicd 1.7.2.4-1 (low; bug #668397) CVE-2012-2148 - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-2142 [Insufficient sanitization of escape sequences in the error message] - xpdf (uses poppler's Error.cc) CVE-2012-2134 NOT-FOR-US: Dynamic LDAP backend plugin for BIND CVE-2012-2130 - polarssl 1.1.2-1 CVE-2012-2108 - csound 1:5.17.6~dfsg-1 (low; bug #661197) CVE-2012-2107 - csound 1:5.17.6~dfsg-1 (bug #661197) CVE-2012-2106 - csound 1:5.17.6~dfsg-1 (bug #661197) CVE-2012-2092 - cobbler (bug #545583) CVE-2012-2079 NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2078 NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1637 NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1622 NOT-FOR-US: Apache OFBiz CVE-2012-1621 NOT-FOR-US: Apache OFBiz CVE-2012-1615 [sectool dbus priv escalation] NOT-FOR-US: sectool CVE-2012-1600 [XSS from 5.0.4 release] - phppgadmin 5.0.4-1 CVE-2012-1592 - libstruts1.2-java (Only applies to Struts 2, see bug #657870) CVE-2012-1577 - dietlibc 0.33~cvs20120325-1 (unimportant) CVE-2012-1572 - keystone 2012.1~rc2-1 CVE-2012-1567 NOT-FOR-US: LinuxMint CVE-2012-1566 NOT-FOR-US: LinuxMint CVE-2012-1563 - joomla (bug #571794) CVE-2012-1562 - joomla (bug #571794) CVE-2012-1561 NOT-FOR-US: Drupal Finder CVE-2012-1102 [XML::Atom Perl module XML entity expansion] {DSA-2424-1} CVE-2012-1301 NOT-FOR-US: Umbraco CVE-2012-1257 - pidgin (unimportant) CVE-2012-1187 - bitlbee 3.0.4+bzr855-1 (low) CVE-2012-1171 [safemode bypass after RSHUTDOWN] - php5 (unimportant) CVE-2012-1170 - moodle (Only affects 2.2) CVE-2012-1169 - moodle (Only affects 2.0 to 2.2) CVE-2012-1168 - moodle (Only affects 2.0 to 2.2) CVE-2012-1166 [ldm (LTSP display manager)] - ldm 2:2.2.7-1 (bug #663645) CVE-2012-1161 - moodle (Only affects 2.1 to 2.2) CVE-2012-1160 - moodle (Only affects 2.1 to 2.2) CVE-2012-1159 - moodle (Only affects 2.1 to 2.2) CVE-2012-1158 - moodle (Only affects 2.1 to 2.2) CVE-2012-1157 - moodle (Only affects 2.0 to 2.2) CVE-2012-1156 - moodle (Only affects 2.0 to 2.2) CVE-2012-1155 - moodle 1.9.9.dfsg2-6 (low; bug #668411) CVE-2012-1124 NOT-FOR-US: phxEventManager not in Debian CVE-2012-1115 - phpldapadmin 1.2.2-3 (low; bug #662050) CVE-2012-1114 - phpldapadmin 1.2.2-3 (low; bug #662050) CVE-2012-1111 - lightdm 1.0.9-1 (bug #658678) CVE-2012-1109 NOT-FOR-US: mwlib not in Debian CVE-2012-1105 - moodle 2.2.7.dfsg-1 (low; bug #662945) CVE-2012-1104 - moodle 2.2.7.dfsg-1 (low; bug #662945) CVE-2012-1101 - systemd 43-1 (bug #662029) CVE-2012-1100 NOT-FOR-US: JBoss Operations Network CVE-2012-1096 - network-manager (low; bug #684259) CVE-2012-1095 - osc (unimportant) CVE-2012-1094 NOT-FOR-US: mod_cluster CVE-2012-1093 [init script x11-common creates directories in insecure manner] - xorg 1:7.6+12 (bug #661627) CVE-2012-1088 - iproute 20120319-1 (unimportant) CVE-2012-0943 - lightdm (Ubuntu-specific script) CVE-2012-0875 [systemtap invalid read leading to kernel DoS] - systemtap 1.7-1 (low; bug #660929; bug #660886) CVE-2012-0871 - systemd 43-1 CVE-2012-0844 - netsurf 2.8-2 (bug #659376) CVE-2012-0843 - uzbl 0.0.0~git.20111128-2 (bug #659379) CVE-2012-0842 [surf info leak] - surf 0.4.1-6 (bug #659296) CVE-2012-0828 - xchat (Only affects Xchat on Windows and Maemo) CVE-2012-0824 - gnusound (low; bug #654270) CVE-2012-0812 [PostfixAdmin 2.3.4 multiple XSS vulnerabilities] - postfixadmin 2.3.5-1 CVE-2012-0811 [PostfixAdmin 2.3.4 multiple SQL vulnerabilities] - postfixadmin 2.3.5-1 CVE-2012-0810 - linux-2.6 3.2.16-1 (bug #672660) CVE-2012-0803 NOT-FOR-US: Apache CXF CVE-2012-0694 [SugarCRM CE unserialize PHP code execution in multiple files] - sugarcrm-ce-5.0 (bug #457876) CVE-2012-0270 [csound buffer overflows] - csound 1:5.16.6~dfsg-1 (low; bug #661197) CVE-2012-0214 [apt would still trust repository when old InRelease file present] - apt 0.8.15.10 CVE-2012-0153 NOT-FOR-US: Microsoft CVE-2012-0140 NOT-FOR-US: Microsoft CVE-2012-0139 NOT-FOR-US: Microsoft CVE-2012-0785 [Jenkins and hash collision attack] - jenkins-winstone 0.9.10-jenkins-31+dfsg-1 (bug #655553) CVE-2012-0070 NOT-FOR-US: spamdyke not in Debian CVE-2012-0064 [xorg screen lockers bypassed via key combo] - xorg-server 2:1.11.3.901-2 (high; bug #656410) CVE-2012-0063 - tucan (bug #656388) CVE-2012-0062 NOT-FOR-US: JBoss Operations Network CVE-2012-0059 NOT-FOR-US: RHN Satellite CVE-2012-0055 NOT-FOR-US: overlayfs is not (yet) in the Debian kernel CVE-2012-0052 NOT-FOR-US: JBoss Operations Network CVE-2012-0051 - tahoe-lafs (Only affects 1.9.0, not uploaded to the archive) CVE-2012-0049 {DSA-2524-1} CVE-2012-0046 [mediawiki info leak] - mediawiki 1:1.15.5-6 (low; bug #655694) CVE-2012-0033 [znc bouncedcc DoS] - znc 0.202-2 CVE-2012-0032 NOT-FOR-US: JBoss Operations Network