CVE-2013-7303 [cross-site scripting] - spip 3.0.13-1 (bug #736170) CVE-2013-7302 NOT-FOR-US: Drupal contrib CVE-2013-7301 [external network interface is used with no access control for reading queued music files] - cantata (Vulnerable code introduced with 1.2.0; bug #736154) CVE-2013-7300 [absolute path traversal vulnerability] - cantata (Vulnerable code introduced with 1.2.0; bug #736154) CVE-2013-7299 [tntnet: denial of service] - tntnet (low; bug #735881) CVE-2013-7298 [cxxtools: denial of service] - cxxtools 2.2.1-1 (low; bug #735880) CVE-2013-7296 [DoS] - poppler (Introduced in a3cee0e7e9dd292c70fe1fa19a92e70bbc1e1b41) CVE-2013-7285 [remote code execution via deserialization in XStream] - libxstream-java (bug #734821) CVE-2013-7284 [libplrpc-perl remote code execution due to Storable] - libplrpc-perl (high; bug #734789) CVE-2013-7273 [no prompt anymore after login cancel using disable_user_list] - gdm3 (low; bug #683338) CVE-2013-7259 - neo4j-community (bug #685615) CVE-2013-7252 [kwallet crypto misuse] - kde-runtime CVE-2013-7172 - libiodbc2 (RPATH issue slackware specific) CVE-2013-7171 - llvm-2.9 (RPATH issue slackware specific) CVE-2013-7236 NOT-FOR-US: Simple Machines Forum CVE-2013-7235 NOT-FOR-US: Simple Machines Forum CVE-2013-7234 NOT-FOR-US: Simple Machines Forum CVE-2013-7221 [run command dialog visible above screen locker] - gnome-shell CVE-2013-7220 [blind command execution via activities search keyboard focus] - gnome-shell CVE-2013-7203 - gitolite3 3.5.3.1-1 CVE-2013-7143 - open-xchange (bug #269329) CVE-2013-7142 - open-xchange (bug #269329) CVE-2013-7141 - open-xchange (bug #269329) CVE-2013-7140 - open-xchange (bug #269329) CVE-2013-7137 NOT-FOR-US: Burden CVE-2013-7135 - libproc-daemon-perl 0.14-2 (low; bug #732283) CVE-2013-7134 NOT-FOR-US: Juvia CVE-2013-7130 [Live migration can leak root disk into ephemeral storage] - nova (bug #736465) CVE-2013-7111 NOT-FOR-US: Bio Basespace SDK Ruby Gem CVE-2013-7110 - transifex-client (low) CVE-2013-7066 NOT-FOR-US: Drupal module CVE-2013-7065 NOT-FOR-US: Drupal module CVE-2013-7064 NOT-FOR-US: Drupal module CVE-2013-7063 NOT-FOR-US: Drupal module CVE-2013-7034 NOT-FOR-US: LiveZilla CVE-2013-7033 NOT-FOR-US: LiveZilla CVE-2013-7032 NOT-FOR-US: LiveZilla CVE-2013-7089 [dbg_printhex possible information leak] - clamav 0.97.7+dfsg-1 CVE-2013-7088 [buffer overflow] - clamav 0.97.7+dfsg-1 CVE-2013-7087 [[clamav: WWPack corrupt heap memory] - clamav 0.97.7+dfsg-1 CVE-2013-7072 NOT-FOR-US: Monitorix CVE-2013-7071 NOT-FOR-US: Monitorix CVE-2013-7070 NOT-FOR-US: Monitorix CVE-2013-7062 [XSS] - zope2.12 (low) CVE-2013-7061 [Privilege escalation through exposed underlying API] NOT-FOR-US: Plone CVE-2013-7060 [Filesystem path information leak] NOT-FOR-US: Plone CVE-2013-7048 [Nova live snapshots use an insecure local directory] - nova 2013.2.1-1 (bug #732022) CVE-2013-7003 NOT-FOR-US: LiveZilla CVE-2013-7041 [pam_userdb: password hashes aren't compared case-sensitively] - pam (low; bug #731368) CVE-2013-7040 - python2.5 (low) CVE-2013-6891 [lppasswd vulnerability] - cups 1.7.1-1 CVE-2013-6889 [Allows reading arbitrary files] - rush (bug #733505) CVE-2013-6887 - openjpeg (only affects 1.5, in experimental, see #731237) CVE-2013-6880 NOT-FOR-US: FlashCanvas CVE-2013-6879 NOT-FOR-US: MijoSearch CVE-2013-6878 NOT-FOR-US: MijoSearch CVE-2013-6838 NOT-FOR-US: IVR Pro/Contact Center (VIP2000) CVE-2013-6806 NOT-FOR-US: OpenText Exceed onDemand CVE-2013-6788 NOT-FOR-US: Bitrix Site Manager CVE-2013-6766 NOT-FOR-US: OpenVAS Administrator (only uploaded to exp 2.5 years ago) CVE-2013-6765 NOT-FOR-US: OpenVAS Manager (only uploaded to experimental 2.5 years ago) CVE-2013-6472 - mediawiki 1:1.19.10+dfsg-1 CVE-2013-6461 [DoS while parsing XML entities] - ruby-nokogiri 1.6.1+ds-1 (bug #734836) CVE-2013-6460 [DoS while parsing XML documents] - ruby-nokogiri 1.6.1+ds-1 (bug #734836) CVE-2013-6458 [job usage issue in several APIs leading to libvirtd crash] {DSA-2846-1} CVE-2013-6457 [avoid crashing if calling `virsh numatune' on inactive domain] - libvirt 1.2.1-1 CVE-2013-6456 [virsh shutdown does not handle symlinks correctly for LXC] - libvirt (bug #732394) CVE-2013-6455 - mediawiki CVE-2013-6454 - mediawiki 1:1.19.10+dfsg-1 CVE-2013-6453 - mediawiki 1:1.19.10+dfsg-1 CVE-2013-6452 - mediawiki 1:1.19.10+dfsg-1 CVE-2013-6451 - mediawiki 1:1.19.10+dfsg-1 CVE-2013-6444 [failure to check certificate hostname] - pywbem (bug #732594) CVE-2013-6441 [lxc: sshd template allow privilege escalation on host] - lxc (unimportant) CVE-2013-6440 [XML eXternal Entity (XXE) flaw in ParserPool and Decrypter] - opensaml2 (Debian provides the C-based Shibboleth implementation) CVE-2013-6437 [DoS through ephemeral disk backing files] - nova CVE-2013-6430 - libspring-java (bug #735420) CVE-2013-6429 - libspring-java (bug #735420) CVE-2013-6418 [TOCTOU vulnerability in certificate validation] - pywbem (low; bug #732594) CVE-2013-6413 [unrealircd: DoS, use after free] - unrealircd (bug #515130) CVE-2013-6396 [does not properly verify the server SSL certificates] - python-swiftclient (bug #730626) CVE-2013-6372 - jenkins (Affected plugins are not shipped in Debian, bug #730457) CVE-2013-6365 [CSRF edit.php] - php-horde 5.1.5+debian0-1 (bug #730110) CVE-2013-6364 [XSS and CSRF search.php] - php-horde (Vulnerable code in turba) CVE-2013-6275 [CSRF] - php-horde-ingo 3.1.3-1 (bug #727669) CVE-2013-6242 - open-xchange (bug #269329) CVE-2013-6241 - open-xchange (bug #269329) CVE-2013-6236 NOT-FOR-US: Stem Innovations IZON CVE-2013-6223 NOT-FOR-US: Livezilla CVE-2013-6117 NOT-FOR-US: Dahua DVR CVE-2013-6167 - iceweasel (unimportant) CVE-2013-6166 - chromium-browser 31.0.1650.57-1 (low) CVE-2013-6053 - openjpeg (only affects 1.5, in experimental, see #731237) CVE-2013-6049 [insecure temporary file creation] - apt-listbugs 0.1.10 (low) CVE-2013-6047 [XSS in site creation interface] - ikiwiki-hosting 0.20131025 CVE-2013-5984 NOT-FOR-US: Microweber CVE-2013-5983 NOT-FOR-US: GuppY CVE-2013-5916 NOT-FOR-US: WordPress plugin wp-e-commerce CVE-2013-5749 NOT-FOR-US: SimpleRisk CVE-2013-5748 NOT-FOR-US: SimpleRisk CVE-2013-5743 - zabbix 1:2.0.8+dfsg-2 CVE-2013-5680 [heap overflow] - hylafax (Not built with LDAP support) CVE-2013-5661 [DNS response rate limiting can simplify cache poisoning attacks] NOTE: DNS protocol flaw CVE-2013-5675 NOT-FOR-US: Symantec Endpoint Protection CVE-2013-5671 [Remote Command Injection] NOT-FOR-US: fog-dragonfly Ruby Gem CVE-2013-5655 NOT-FOR-US: YingZhi Python for iOS CVE-2013-5654 NOT-FOR-US: YingZhi Python for iOS CVE-2013-5640 NOT-FOR-US: Gnew CVE-2013-5639 NOT-FOR-US: Gnew CVE-2013-5582 NOT-FOR-US: Ammyy Admin CVE-2013-5581 NOT-FOR-US: Ammyy Admin CVE-2013-5350 NOT-FOR-US: OpenPNE CVE-2013-5212 NOT-FOR-US: easyXDM CVE-2013-5123 [insecure mirroring] - python-pip 1.4.1-1 (unimportant) CVE-2013-4985 NOT-FOR-US: Vivotek IP Cameras CVE-2013-4982 NOT-FOR-US: AVTECH DVR CVE-2013-4981 NOT-FOR-US: AVTECH DVR CVE-2013-4980 NOT-FOR-US: AVTECH DVR CVE-2013-4979 [Buffer Overflow] NOT-FOR-US: EPS Viewer CVE-2013-4978 [Buffer Overflow] NOT-FOR-US: Aloaha PDF Suite CVE-2013-4968 - puppet (Only affects Puppet Enterprise) CVE-2013-4772 NOT-FOR-US: D-Link CVE-2013-4752 NOT-FOR-US: Symfony HttpFoundation component CVE-2013-4751 NOT-FOR-US: Symfony Validator component CVE-2013-4739 - linux (Android-specific camera drivers) CVE-2013-4738 - linux (Android-specific camera drivers) CVE-2013-4730 NOT-FOR-US: PCMan FTP Server CVE-2013-4718 [XSS] NOT-FOR-US: OTRS ITSM CVE-2013-4717 [SQL injection] {DSA-2733-1} CVE-2013-4593 - ruby-omniauth-facebook (bug #705766) CVE-2013-4584 [ssl_outgoing_ciphers not applied to STARTTLS connections] - perdition (low; bug #729028) CVE-2013-4583 - gitlab (bug #651606) CVE-2013-4582 [Local file inclusion vulnerability] - gitlab (bug #651606) CVE-2013-4581 [Remote code execution vulnerability via Git SSH access] - gitlab (bug #651606) CVE-2013-4580 [Unauthenticated API access to GitLab when using MySQL] - gitlab (bug #651606) CVE-2013-4577 [should set safer permissions even when hashed passwords are found] - grub2 2.00-20 (unimportant; bug #632598) CVE-2013-4574 - mediawiki CVE-2013-4572 - mediawiki 1:1.19.8+dfsg-2.2 (bug #729629) CVE-2013-4571 - mediawiki CVE-2013-4570 - mediawiki CVE-2013-4565 [heap-based buffer overflow] - xlhtml (bug #729279) CVE-2013-4562 - ruby-omniauth-facebook (bug #705766) CVE-2013-4561 NOT-FOR-US: OpenShift CVE-2013-4552 NOT-FOR-US: drupalauth module for simpleSAMLphp CVE-2013-4546 [remote command execution] - gitlab (bug #651606) CVE-2013-4521 NOT-FOR-US: Nuxeo CVE-2013-4504 NOT-FOR-US: Drupal contrib module CVE-2013-4503 NOT-FOR-US: Drupal contrib module CVE-2013-4502 NOT-FOR-US: Drupal contrib module CVE-2013-4501 NOT-FOR-US: Drupal contrib module CVE-2013-4500 NOT-FOR-US: Drupal contrib module CVE-2013-4499 NOT-FOR-US: Drupal contrib module CVE-2013-4498 NOT-FOR-US: Drupal contrib module CVE-2013-4490 [Remote code execution vulnerability in the SSH key upload feature] - gitlab (bug #651606) CVE-2013-4489 [Remote code execution vulnerability in the code search feature] - gitlab (bug #651606) CVE-2013-4488 - libgadu (unimportant) CVE-2013-4472 [Race condition on temporary file] - poppler (unimportant) CVE-2013-4471 [password reset vulnerability] - horizon 2013.2-1 CVE-2013-4468 NOT-FOR-US: VICIDIAL CVE-2013-4467 NOT-FOR-US: VICIDIAL CVE-2013-4463 [Compressed disk image DoS] - nova 2013.2-3 (bug #728605) CVE-2013-4462 NOT-FOR-US: WordPress plugin CVE-2013-4455 NOT-FOR-US: Katello CVE-2013-4454 NOT-FOR-US: WordPress plugin CVE-2013-4451 [world writable files] - gitolite (vulnerable code introduced for v3.5.3) CVE-2013-4449 [slapd segfaults on certain queries with rwm overlay enabled] - openldap (low; bug #729367) CVE-2013-4442 [Silent fallback to insecure entropy] - pwgen (unimportant; bug #726578) CVE-2013-4441 [Phonemes mode has heavy bias and is enabled by default] - pwgen (unimportant; bug #726578) CVE-2013-4440 [non-tty passwords are trivially weak by default] - pwgen (unimportant; bug #726578) CVE-2013-4433 [xhprof: unspecified XSS] - xhprof 0.9.4-1 (bug #726284) CVE-2013-4432 [a group member with no access rights to folder can still view it] - mahara (low; bug #727539) CVE-2013-4431 [Not checking ownership of blocks before editing them] - mahara (low; bug #727552) CVE-2013-4430 - mahara (unimportant; bug #727548) CVE-2013-4429 [Arbitrary image download] - mahara (low; bug #727545) CVE-2013-4427 [pyxtrlock Incorrect return value checking] NOT-FOR-US: pyxtrlock CVE-2013-4426 [pyxtrlock mis-spelled variable name] NOT-FOR-US: pyxtrlock CVE-2013-4420 [tar_extract_glob and tar_extract_all path prefix directory traversal] - libtar (bug #731860) CVE-2013-4413 [arbitrary files read] NOT-FOR-US: Wicked Ruby Gem CVE-2013-4412 [NULL ptr dereference] - slim (bug #725902) CVE-2013-4411 - reviewboard (bug #653113) CVE-2013-4410 - reviewboard (bug #653113) CVE-2013-4409 [unsanitized eval() vulnerability] - djblets (low; bug #726039) CVE-2013-4406 NOT-FOR-US: Quick Tabs Drupal contributed module CVE-2013-4399 [unprivileged user can crash libvirtd when ACLs are enabled] - libvirt 1.1.4-1 CVE-2013-4395 NOT-FOR-US: Simple Machines Forum CVE-2013-4383 NOT-FOR-US: Drupal module CVE-2013-4380 NOT-FOR-US: Drupal module CVE-2013-4367 NOT-FOR-US: ovirt CVE-2013-4357 [getaddrinfo() stack overflow] - eglibc CVE-2013-4347 [Uses poor PRNG] - python-oauth2 (low; bug #722657) CVE-2013-4346 [_check_signature() ignores the nonce value when validating signed urls] - python-oauth2 (low; bug #722656) CVE-2013-4337 NOT-FOR-US: Drupal module CVE-2013-4336 NOT-FOR-US: Drupal module CVE-2013-4335 NOT-FOR-US: opOpenSocialPlugin CVE-2013-4334 NOT-FOR-US: opWebAPIPlugin CVE-2013-4333 NOT-FOR-US: OpenPNE CVE-2013-4331 [incorrect .Xauthority permissions] - lightdm 1.6.2-1 (bug #721744) CVE-2013-4321 [TYPO3 File Abstraction Layer: Remote Code Execution] - typo3-src (All versions from 6.0.0 up to the development branch of 6.2) CVE-2013-4320 [TYPO3 Core: Cross-Site Scripting, Remote Code Execution] - typo3-src (All versions from 6.0.0 up to the development branch of 6.2) CVE-2013-4318 NOT-FOR-US: Ruby gem Features CVE-2013-4304 [mediawiki CentralAuth auth bypass] NOT-FOR-US: Mediawiki CentralAuth extension CVE-2013-4303 [mediawiki XSS with IE6] - mediawiki 1:1.19.8+dfsg-1 (unimportant) CVE-2013-4290 [stack-based buffer overflows] - openjpeg (bug #722540) CVE-2013-4289 [heap-based buffer overflows] - openjpeg (bug #722540) CVE-2013-4279 - imapsync CVE-2013-4275 NOT-FOR-US: Drupal contributed module Zen CVE-2013-4273 NOT-FOR-US: Drupal contributed module Entity API CVE-2013-4269 - ajaxplorer (bug #668381) CVE-2013-4268 - ajaxplorer (bug #668381) CVE-2013-4267 - ajaxplorer (bug #668381) CVE-2013-4262 [svnwcsub.py and irkerbridge.py are vulnerable to symlink attack] - subversion (Optional admin-side utilities in Subversion 1.8.x) CVE-2013-4251 [weave /tmp and current directory issues] - python-scipy 0.12.0-3 (bug #726093) CVE-2013-4250 [Vulnerable subcomponent: Backend File Upload / File Abstraction Layer] - typo3-src (All versions from 6.0.0 up to the development branch of 6.2) CVE-2013-4246 [FSFS repository corruption due to editing packed revision properties] - subversion (only affects 1.8.0 and 1.8.1) CVE-2013-4241 NOT-FOR-US: WordPress plugin HMS Testimonials CVE-2013-4240 NOT-FOR-US: WordPress plugin HMS Testimonials CVE-2013-4228 NOT-FOR-US: Organic Group Drupal contributed module CVE-2013-4227 NOT-FOR-US: Persona Drupal contributed module CVE-2013-4226 NOT-FOR-US: Authenticated User Page Caching Drupal contributed module CVE-2013-4225 NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module CVE-2013-4224 NOTE: Dublicate of CVE-2013-4187, thus rejected CVE-2013-4223 [nullmailer world readable /etc/nullmailer/remotes] - nullmailer 1:1.11-2 (low; bug #684619) CVE-2013-4215 [IPXPING_COMMAND uses fixed location in /tmp] - nagios-plugins (unimportant) CVE-2013-4211 NOT-FOR-US: OpenX CVE-2013-4209 [ABRT: (substantially) limited leak of unauthorized information] NOT-FOR-US: NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2013-4201 [Katello: CLI - user without access can call "system remove_deletion" command] NOT-FOR-US: Katello CVE-2013-4199 [plone: DoS by decompressing large zip archives (cb_decode.py, linkintegrity.py)] NOT-FOR-US: Plone CVE-2013-4198 [plone: Authenticated users able to alter their password despite of policy definition / setting prohibiting it (mail_password.py)] NOT-FOR-US: Plone CVE-2013-4197 [plone: Authenticated users able to modify / delete portraits of other users (member_portrait.py)] NOT-FOR-US: Plone CVE-2013-4196 [plone: Multiple information exposure flaws via certain object methods (objectmanager.py)] NOT-FOR-US: Plone CVE-2013-4195 [plone: Open redirect in the HTTP server implementation (marmoset_patch.py, publish.py, principiaredirect.py)] NOT-FOR-US: Plone CVE-2013-4194 [plone: File system path exposure (wysiwyg.py)] NOT-FOR-US: Plone CVE-2013-4193 [plone: Anonymous users capable to hide certain fields from content edit forms (typeswidget.py)] NOT-FOR-US: Plone CVE-2013-4192 [plone: Ability to spoof emails (sendto.py)] NOT-FOR-US: Plone CVE-2013-4191 [plone: Information exposure due improper access control enforcement when generating zip archives (zip.py)] NOT-FOR-US: Plone CVE-2013-4190 [plone: Multiple cross-site scripting (XSS) flaws (spamProtect.py, pts.py, request.py)] NOT-FOR-US: Plone CVE-2013-4189 [plone: Privilege escalation due improper authorization (dataitems.py, get.py, traverseName.py)] NOT-FOR-US: Plone CVE-2013-4188 [plone: DoS (infinite loop) by administrator privilege users when retrieving information for certain resources (traverser.py)] NOT-FOR-US: Plone CVE-2013-4187 [Access Bypass] NOT-FOR-US: Flippy Contributed Drupal module CVE-2013-4184 [symlink attacks] - libdata-uuid-perl (low; bug #718949) CVE-2013-4178 NOT-FOR-US: GA Login Drupal contributed module CVE-2013-4177 NOT-FOR-US: GA Login Drupal contributed module CVE-2013-4176 [information disclosure] NOT-FOR-US: MySecureShell CVE-2013-4175 [local denial of service] NOT-FOR-US: MySecureShell CVE-2013-4168 [start and end time fields not filtered] - smokeping 2.6.8-2 CVE-2013-4166 [problem in GPG key selection when encrypting mail] - evolution (unimportant) CVE-2013-4161 - gksu-polkit (CVE for improperly applied fix for CVE-2012-5617 on Red Hat) CVE-2013-4158 - smokeping (fix for CVE-2012-0790/DSA-2651-1 uses regexp from 2.6.9 upstream release) CVE-2013-4152 [XML External Entity (XXE) injection flaw] {DSA-2842-1} CVE-2013-4143 NOT-FOR-US: xlockmore CVE-2013-4133 [memory leak] - kde-workspace 4:4.10.5-3 (unimportant; bug #717180) CVE-2013-4119 - freerdp (The server part is not build) CVE-2013-4118 - freerdp (The server part is not build) CVE-2013-4116 [npm: predictable temporary filenames when unpacking tarballs] - npm 1.3.10~dfsg-1 (bug #715325) CVE-2013-4110 NOT-FOR-US: Cryptocat CVE-2013-4109 NOT-FOR-US: Cryptocat CVE-2013-4108 NOT-FOR-US: Cryptocat CVE-2013-4107 NOT-FOR-US: Cryptocat CVE-2013-4106 NOT-FOR-US: Cryptocat CVE-2013-4105 NOT-FOR-US: Cryptocat CVE-2013-4104 NOT-FOR-US: Cryptocat CVE-2013-4103 NOT-FOR-US: Cryptocat CVE-2013-4102 NOT-FOR-US: Cryptocat CVE-2013-4101 NOT-FOR-US: Cryptocat CVE-2013-4100 NOT-FOR-US: Cryptocat CVE-2013-4088 [Information Disclosure] {DSA-2712-1} CVE-2013-3843 - monkey CVE-2013-3734 [Datasource password visible to administrator] NOT-FOR-US: Embedded Jopr CVE-2013-3729 NOT-FOR-US: Kasseler CMS CVE-2013-3728 NOT-FOR-US: Kasseler CMS CVE-2013-3727 NOT-FOR-US: Kasseler CMS CVE-2013-3718 [evince missing check on number of pages] - evince 3.10.0-1 CVE-2013-3703 NOT-FOR-US: Open Build Service CVE-2013-3685 NOT-FOR-US: Sprite Software's backup softare for Android CVE-2013-3587 [BREACH attack against HTTP compression] TODO: check CVE-2013-3571 [FD leak] - socat 1.7.1.3-1.5 (low; bug #709931) CVE-2013-3565 [XSS in HTTP Interface] - vlc 2.0.7-1 (unimportant) CVE-2013-3551 {DSA-2696-1} CVE-2013-3514 NOT-FOR-US: OpenX CVE-2013-2764 NOT-FOR-US: Secure Entry Server CVE-2013-2758 NOT-FOR-US: CloudStack CVE-2013-2756 NOT-FOR-US: CloudStack CVE-2013-2745 [SQL Injection] - minidlna (low; bug #717131) CVE-2013-2739 [heap-based buffer overflow] - minidlna (low; bug #717131) CVE-2013-2738 [SQL Injection] - minidlna (low; bug #717131) CVE-2013-2625 - otrs2 3.1.7+dfsg1-8 CVE-2013-2623 NOT-FOR-US: Uebimiau Webmail CVE-2013-2622 NOT-FOR-US: Uebimiau Webmail CVE-2013-2621 NOT-FOR-US: Uebimiau Webmail CVE-2013-2600 [MiniUPnPd information disclosure] - miniupnpd 1.8.20130730-1 (bug #716936) CVE-2013-2595 NOT-FOR-US: Qualcomm MSM Camera driver CVE-2013-2574 NOT-FOR-US: Foscam CVE-2013-2565 NOT-FOR-US: Mambo CMS CVE-2013-2564 NOT-FOR-US: Mambo CMS CVE-2013-2563 NOT-FOR-US: Mambo CMS CVE-2013-2562 NOT-FOR-US: Mambo CMS CVE-2013-2298 - boinc 7.0.65+dfsg-1 (low) CVE-2013-2294 NOT-FOR-US: ViewGit CVE-2013-2262 NOT-FOR-US: Cryptocat CVE-2013-2261 NOT-FOR-US: Cryptocat CVE-2013-2260 NOT-FOR-US: Cryptocat CVE-2013-2259 NOT-FOR-US: Cryptocat CVE-2013-2258 NOT-FOR-US: Cryptocat CVE-2013-2257 NOT-FOR-US: Cryptocat CVE-2013-2255 [Inconsistent and non-validating HTTPS client] - cinder CVE-2013-2233 [not caching SSH host keys] - ansible 1.3.4+dfsg-1 (bug #714822) CVE-2013-2228 [RSA exponent of 1] - salt 0.15.1-1 CVE-2013-2227 [local file inclusion] - glpi 0.83.91-1 (bug #714720; unimportant) CVE-2013-2226 [Multiple SQL injections] - glpi 0.83.91-1 (bug #714720; unimportant) CVE-2013-2225 - glpi 0.83.91-1 (bug #714720; unimportant) CVE-2013-2214 [nagios3: information leak] - nagios3 3.4.1-4 (low) CVE-2013-2213 [KRandom::random() Small Space of Random Values] - kdeplasma-addons (only affects if incomplete patch for CVE-2013-2120 is applied) CVE-2013-2198 NOT-FOR-US: Login Security Drupal contributed module CVE-2013-2193 [Apache HBase Man in the Middle Vulnerability] NOT-FOR-US: Apache HBase CVE-2013-2192 [Apache Hadoop Man in the Middle Vulnerability] NOT-FOR-US: Apache Hadoop CVE-2013-2191 NOT-FOR-US: python-bugzilla CVE-2013-2184 [unsafe use of Storable::thaw] - movabletype-opensource 5.2.7+dfsg-1 (bug #712602) CVE-2013-2183 - monkey (low) CVE-2013-2182 [monkey security rules bypass] - monkey (low) CVE-2013-2180 NOT-FOR-US: uk-cookie Wordpress plugin, not in Debian CVE-2013-2167 [middleware memcache signing bypass] - python-keystoneclient 1:0.2.5-2 (bug #713819) CVE-2013-2166 [middleware memcache encryption bypass] - python-keystoneclient 1:0.2.5-2 (bug #713819) CVE-2013-2163 [monkey denial of service] - monkey (low) CVE-2013-2159 [monkey broken authentication] - monkey CVE-2013-2150 [XSS vulnerability in js/viewer.js] - owncloud (affects only experimental version) CVE-2013-2149 [XSS vulnerability in core/js/oc-dialogs.js] - owncloud 4.0.16debian-1 (bug #711517) CVE-2013-2131 [format string vulnerability] - rrdtool (unimportant; bug #708866) CVE-2013-2130 [null pointer dereference in webadmin] - znc 1.0-5 (bug #720632) CVE-2013-2125 [DoS in TLS Support] - opensmtpd 5.3.3p1-1 CVE-2013-2124 [libguestfs: DoS due to a double-free when inspecting certain guest files] - libguestfs 1:1.20.8-1 (bug #710290) CVE-2013-2120 [weak generated passwords] - kdeplasma-addons (low; bug #710497) CVE-2013-2111 [DoS (daemon hang) when parsing invalid IMAP APPEND command parameters] - dovecot (vulnerable code appeared in 2.2) CVE-2013-2109 NOT-FOR-US: WordPress plugin wp-cleanfix CVE-2013-2108 NOT-FOR-US: WordPress plugin wp-cleanfix CVE-2013-2107 NOT-FOR-US: WordPress plugin mail-on-update CVE-2013-2106 [Authentication credential disclosure] - webauth (vulnerable code only in 4.4.1 up to 4.5.2) CVE-2013-2105 NOT-FOR-US: Show In Browser Ruby Gem CVE-2013-2100 NOT-FOR-US: Gentoo Portage binary package installer CVE-2013-2097 [zPanel themes remote command execution as root] NOT-FOR-US: zPanel CVE-2013-2093 - dolibarr 3.3.4-1 (high) CVE-2013-2092 - dolibarr 3.3.4-1 CVE-2013-2091 - dolibarr 3.3.4-1 CVE-2013-2090 [Remote command Injection] NOT-FOR-US: Creme Fraiche Ruby Gem CVE-2013-2089 [owncloud: oC-SA-2013-026] - owncloud (Only affects 5.0.x) CVE-2013-2087 [gallery: multiple xss] - gallery (Vulnerable code not present) CVE-2013-2086 [owncloud: oC-SA-2013-027] - owncloud (Only owncloud 5.0.x) CVE-2013-2085 [owncloud: oC-SA-2013-020] - owncloud (Only affects 5.0.x) CVE-2013-2075 - chicken (Incomplete fix was never applied) CVE-2013-2074 [prints passwords contained in HTTP URLs in error messages] - kde4libs 4:4.10.5-1 (low; bug #707776) CVE-2013-2073 [Does not validate HTTPS server certificate] - transifex-client 0.9-1 (low) CVE-2013-2060 NOT-FOR-US: OpenShift CVE-2013-2057 NOT-FOR-US: YaBB CVE-2013-2049 NOT-FOR-US: CloudForms Management Engine CVE-2013-2048 [owncloud: oC-SA-2013-025] - owncloud (Only affects 5.0.x) CVE-2013-2047 [owncloud: oC-SA-2013-023] - owncloud (Only 5.0.x) CVE-2013-2046 [owncloud: oC-SA-2013-019] - owncloud (Only affects 4.5.x) CVE-2013-2045 [owncloud: oC-SA-2013-019] - owncloud (Only affects 5.0.x) CVE-2013-2044 [owncloud: oC-SA-2013-022] - owncloud (Only 5.0.x) CVE-2013-2043 [owncloud: oC-SA-2013-024] - owncloud (Only 5.0.x and 4.5.x) CVE-2013-2042 [owncloud: oC-SA-2013-021] - owncloud 4.0.15debian-1 CVE-2013-2041 [owncloud: oC-SA-2013-021] - owncloud (Only affects 5.0.x) CVE-2013-2040 [owncloud: oC-SA-2013-021] - owncloud 4.0.15debian-1 CVE-2013-2039 [owncloud: oC-SA-2013-020] - owncloud 4.0.15debian-1 CVE-2013-2038 [DoS (packet parser crash) in the AIS driver when processing malformed packet] - gpsd 3.6-5 (bug #706665) CVE-2013-2034 [jenkins CSRF] - jenkins 1.509.2+dfsg-1 (bug #706725) CVE-2013-2033 [jenkins XSS] - jenkins 1.509.2+dfsg-1 (bug #706725) CVE-2013-2025 NOT-FOR-US: Ushahidi CVE-2013-2024 [OS command injection vulnerability in Chicken Scheme] - chicken 4.8.0.3-1 (bug #706525) CVE-2013-2019 [stack overflow vulnerabilities in the XML parser] - boinc 6.13.6+dfsg-1 (low) CVE-2013-2018 [SQL injections in the server-side scheduler code] - boinc 7.0.65+dfsg-1 (low) CVE-2013-2016 [qemu: virtio: out-of-bounds config space access] - qemu 1.5.0+dfsg-1 (bug #710822) CVE-2013-2014 [no limitation for requests and headers size which can cause a crash] - keystone 2013.1.1-2 (bug #708515) CVE-2013-2012 [autojump profile will load random stuff from a directory called custom_install] - autojump (vulnerable code not present for unstable) CVE-2013-2011 NOT-FOR-US: WP Super Cache CVE-2013-2010 NOT-FOR-US: W3 Total Cache CVE-2013-2009 NOT-FOR-US: WP Super Cache CVE-2013-2008 NOT-FOR-US: WP Super Cache CVE-2013-1980 - xmp 3.4.0-3 (low; bug #706667) CVE-2013-1973 NOT-FOR-US: Drupal contributed module CVE-2013-1967 [mediaelement flashmediaelement XSS] - owncloud (Vulnerable code not present) CVE-2013-1963 - owncloud (Vulnerable code not present) CVE-2013-1951 - mediawiki 1:1.19.5-1 CVE-2013-1946 NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module CVE-2013-1941 [Postgre: Insecure database password generator] - owncloud 5.0.4~rc1+dfsg-1 CVE-2013-1939 [Windows: Local file disclosure] - owncloud (Windows version only) CVE-2013-1938 NOT-FOR-US: Zimbra CVE-2013-1934 [mantis: XSS issue in adm_config_report.php when displaying complex value] - mantis (low; bug #717482) CVE-2013-1932 [mantis: XSS vulnerability on Configuration Report page] - mantis (affects Mantis 1.2.13 only) CVE-2013-1931 [mantis: XSS vulnerability when deleting a version] - mantis (affects Mantis 1.2.14 only) CVE-2013-1930 [mantis: Close button available to users despite workflow restrictions] - mantis (affects only Mantis 1.2.12 and later) CVE-2013-1924 NOT-FOR-US: Commerce Skrill Drupal module CVE-2013-1916 NOT-FOR-US: WordPress plugin CVE-2013-1910 [Not removing bad metadata and using it in next run] - yum (unimportant) CVE-2013-1904 [roundcube variable overwrite] - roundcube 0.7.2-9 CVE-2013-1895 [concurrency issue leading to auth bypass] - python-bcrypt (bug #704030) CVE-2013-1893 - owncloud (only affecting 5.0 branch) CVE-2013-1890 - owncloud (only affecting 5.0 branch) CVE-2013-1889 - libapache2-mod-ruid2 0.9.8-1 (low; bug #704066) CVE-2013-1886 NOT-FOR-US: Red Hat Certificate System CVE-2013-1885 NOT-FOR-US: Red Hat Certificate System CVE-2013-1883 [mantis: remote DoS] - mantis (only affects 1.2.12 to 1.2.14) CVE-2013-1880 [XSS vulnerability in portfolioPublish demo application] - activemq (portfolio demo app not shipped in Debian package) CVE-2013-1874 [Chicken Scheme: code execution] - chicken 4.8.0.3-1 (low; bug #702410) CVE-2013-1864 [Ekiga billion laughs flaw in ptlib] NOTE: http://www.openwall.com/lists/oss-security/2013/03/15/6 CVE-2013-1853 [Almanah doesn't encrypt the database] - almanah 0.9.1-1 (bug #702905) CVE-2013-1851 [user_migrate: Local file disclosure] - owncloud 4.0.8debian-1.6 (bug #703094) CVE-2013-1850 [Contacts: Bypass of file blacklist] - owncloud 4.0.8debian-1.6 (bug #703094) CVE-2013-1841 [Reverse lookup issue in Net::Server] - libnet-server-perl (low; bug #702914) CVE-2013-1822 - owncloud (owncloud stable4 (4.0.x) is not affected) CVE-2013-1820 NOT-FOR-US: tuned (RH-specific powersaving tool) CVE-2013-1818 [mediawiki mwdoc-filter.php information disclosure] - mediawiki (mwdoc-filter.php introduced in 1.20) CVE-2013-1817 [mediawiki information disclosure in unblock API] - mediawiki 1:1.19.4-1 (bug #702305) CVE-2013-1816 [mediawiki insecure curl usage] - mediawiki 1:1.19.4-1 CVE-2013-1811 [Reporter can change issue status to 'new'] - mantis (low; bug #698481) CVE-2013-1810 [summary.php category/project names XSS vulnerability] - mantis (only affects MantisBT 1.2.12) CVE-2013-1809 [Gambas creates hijackable directory in /tmp] - gambas3 3.5.1-1 (low; bug #702184) CVE-2013-1771 [monkey: world-readable logdir] - monkey (low) CVE-2013-1770 [XSS issues in views_view.php] - ganglia (low; bug #700158) CVE-2013-1764 - packagekit (Zypp backend specific to SuSE) CVE-2013-1753 - python2.5 (low) CVE-2013-1752 - python2.5 (low) CVE-2013-1751 - twiki CVE-2013-1689 [wheezy] - iceape CVE-2013-1666 - foswiki (bug #509864) CVE-2013-1470 [XSS in geeklog] NOTE: There was a RFP long time ago, bug #203818 CVE-2013-1437 [Code execution when gathering version metadata] - perl 5.18.1-2 CVE-2013-1436 [code injection] - xmonad-contrib 0.11.2-1 (low) CVE-2013-1429 [Lintian unsafe symlinks] - lintian 2.5.10.5 (bug #705553; unimportant) CVE-2013-1426 [mahara: stored XSS in tinyMCE editor] - mahara CVE-2013-1425 [ldap-git-backup: Incorrect directory permissions exposes password hashes] - ldap-git-backup 1.0.4-1 (bug #699227) CVE-2013-0243 [Basic constraints vulnerability] - haskell-tls-extra 0.4.6.1-1 (bug #698545) CVE-2013-1376 NOT-FOR-US: Adobe Reader CVE-2013-0870 [libavcodec/vp3.c: 14c8ee00ffd9d45e6e0c6f11a957ce7e56f7eb3a] - ffmpeg (No threading support in vp3 from ffmpeg 0.5) CVE-2013-0350 [writes content from TCP streams to public readable file /tmp/smtp.log] - pktstat 1.8.5-3 (bug #701211) CVE-2013-0347 [webfs world-readable logdir] - webfs 1.21+ds1-9 (low; bug #701638) CVE-2013-0346 [tomcat world-readable logdir] - tomcat6 (Log files are owned by tomcat:tomcat) CVE-2013-0345 [varnish world-readable logdir] - varnish (Logfiles are owned by varnishlog:varnishlog) CVE-2013-0342 [CreateID() creates serialized packet IDs for RADIUS] - pyrad (low; bug #701151) CVE-2013-0336 [DoS when connecting with a missing username/dn] - 389-ds-base (bug #704077) CVE-2013-0326 - nova (low) CVE-2013-0307 [XSS vulnerability] - owncloud 4.0.8debian-1.5 (bug #701115) CVE-2013-0303 [Multiple code executions] - owncloud 4.0.8debian-1.5 (bug #701115) CVE-2013-0301 [Multiple CSRF vulnerabilities] - owncloud 4.0.8debian-1.5 (bug #701115) CVE-2013-0300 [Multiple CSRF vulnerabilities] - owncloud (Vulnerably code not present, only affects 4.5 branch) CVE-2013-0299 [Multiple CSRF vulnerabilities] - owncloud 4.0.8debian-1.5 (bug #701115) CVE-2013-0298 [XSS vulnerability] - owncloud (Vulnerably code not present, only affects 4.5 branch) CVE-2013-0297 [XSS vulnerability] - owncloud 4.0.8debian-1.5 (bug #701115) CVE-2013-0296 [creates temp files with too wide permissions] - pigz 2.2.4-2 (low; bug #700608) CVE-2013-0294 [potentially predictable password hashing] - pyrad 2.0-2 (low; bug #700669) CVE-2013-0293 [Lock screen accepts F2 to drop to shell] - ovirt-node (bug #502024) CVE-2013-0289 [missing SSL subject verification] - isync 1.0.4-2.2 (low; bug #701052) CVE-2013-0267 NOT-FOR-US: Apache VCL CVE-2013-0264 NOT-FOR-US: Cumin CVE-2013-0250 [corosync: Remote DoS due improper HMAC initialization] - corosync (Introduced in v1.99.8-2-ge925f42; bug #699615) CVE-2013-0234 - elgg (bug #526197) CVE-2013-0204 [Code execution in external storage] - owncloud (Vulnerably code not present, only affects 4.5 branch) CVE-2013-0203 [XSS vulnerabilities] - owncloud 4.0.8debian-1.4 (bug #698737) CVE-2013-0202 [XSS vulnerabilities] - owncloud 4.0.8debian-1.4 (bug #698737) CVE-2013-0201 [XSS vulnerabilities] - owncloud 4.0.8debian-1.4 (bug #698737) CVE-2013-0199 NOT-FOR-US: FreeIPA CVE-2013-0197 [XSS vulnerability with match_type filter] - mantis (This only affects the 1.2.12 version, which isn't present in Debian, bug #698481) CVE-2013-0195 [Unspecified XSS] - piwik (bug #506933) CVE-2013-0194 [Unspecified XSS] - piwik (bug #506933) CVE-2013-0193 [Unspecified XSS] - piwik (bug #506933) CVE-2013-0192 NOT-FOR-US: Simple Machines Forum CVE-2013-0191 [pam-pgsql NULL password handling issue] - pam-pgsql 0.7.3.1-4 (bug #698241) CVE-2013-0185 NOT-FOR-US: ManageIQ EVM (CloudForms) CVE-2013-0178 [redis 2.4: Insecure temporary flaw use for redis service's vm swap file] - redis 2:2.6.0-1 (low) CVE-2013-0177 NOT-FOR-US: OFBiz CVE-2013-0161 NOT-FOR-US: Havalite CMS CVE-2013-0159 NOT-FOR-US: Fedora build script