From stmoore at us.ibm.com  Wed Feb  5 09:18:43 2014
From: stmoore at us.ibm.com (Scott Moore)
Date: Wed, 5 Feb 2014 10:18:43 -0500
Subject: [VIM] IBM Financial Transaction Manager Vulnerabilities
Message-ID: <OFEF3C7745.A1D04C4F-ON87257C76.0053B5D5-85257C76.00541DD6@us.ibm.com>


Hello VIM colleagues.

In mid December there was a confusing changelog issued by the IBM Financial
Transaction Manager team that listed several vulnerabilities.  These were
picked up by several vulnerability databases.

We have worked with the product team and the PSIRT team to consolidate some
issues, and eliminate others that were not actual vulnerabilities.

The actual vulnerabilities are as follows:

CVE-2014-0830: FTM 2.0 and 2.1 Table export function exposes a path
traversal vulnerability

CVE-2014-0831: FTM 2.0 OAC is not protected from cross site request forgery
vulnerabilities.

CVE-2014-0832: FTM 2.0 Configuration details screens are exposed to cross
site scripting vulnerabilities.

CVE-2014-0833: FTM 2.0 OAC could accept a request to execute a resolution
action where the user is not authorized.

FTM Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21662714


Thanks.

-----
Scott Moore
Vulnerability Database - Team Lead
X-Force Research and Development
IBM Security Systems
Office: 404-348-9288
Cell: 404-643-1260
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.attrition.org/pipermail/vim/attachments/20140205/5ed6954b/attachment.html>

From geissert at debian.org  Sat Feb  8 05:17:31 2014
From: geissert at debian.org (Raphael Geissert)
Date: Sat, 8 Feb 2014 12:17:31 +0100
Subject: [VIM] Fwd: Old CVE ids, public, but still "RESERVED"
Message-ID: <201402081217.32134.geissert@debian.org>

Sending a copy to oss-sec, in case there are people interested in this kind 
of information.

----------  Forwarded Message  ----------

Subject: Old CVE ids, public, but still "RESERVED"
Date: Friday 24 January 2014
From: Raphael Geissert <geissert at debian.org>
To: Vulnerability Information Managers <vim at attrition.org>

Hi,

Attached are a list of CVE ids which are still marked as RESERVED
(i.e. no description/links/etc have been set) yet our security tracker
knows about them. The tracker only containing public data, it means
that the ids are not embargoed.

Hopefully these lists can be useful to MITRE to catch up on those, or
to anyone else.
I can generate these and other reports regularly if desired.

Notes:
* The year in the file name corresponds to the year in the CVE id, not
necessarily the year of assignment.
* The lists only contain the CVE id, probably a short description, and
one line of data from our tracker. The full data can be obtained
either by going to
https://security-tracker.debian.org/tracker/CVE-YYYY-XXXX or by
looking up on our text database.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
-------------- next part --------------
CVE-2011-4973 [mod_nss FakeBasicAuth authentication bypass]
	- libapache2-mod-nss <unfixed> (low; bug #729626)
CVE-2011-4972 [CKEditor module for Drupal access bypass]
	NOT-FOR-US: Drupal module
CVE-2011-4970 [Multiple SQL Injection vulnerabilities in Disk Pool Manager (DPM)]
	- lcgdm 1.8.6-1 (low; bug #702895)
CVE-2011-4968 [nginx http proxy module does not verify peer identity of https origin server]
	- nginx <unfixed> (low; bug #697940)
CVE-2011-4967
	NOT-FOR-US: OpenPegasus
CVE-2011-4958 [silverstripe:XSS]
	- silverstripe <itp> (bug #528461)
CVE-2011-4955
	NOT-FOR-US: wordpress bsuite plugin
CVE-2011-4954
	- cobbler <itp> (bug #545583)
CVE-2011-4953
	- cobbler <itp> (bug #545583)
CVE-2011-4952
	- cobbler <itp> (bug #545583)
CVE-2011-4938
	NOT-FOR-US: Ariadne CMS not in Debian
CVE-2011-4937
	- joomla <itp> (bug #571794)
CVE-2011-4936
	- joomla <itp> (bug #571794)
CVE-2011-4935
	- joomla <itp> (bug #571794)
CVE-2011-4934
	- joomla <itp> (bug #571794)
CVE-2011-4933
	- joomla <itp> (bug #571794)
CVE-2011-4931
	- gpw <unfixed> (unimportant; bug #651510)
CVE-2011-4930
	- condor <not-affected> (Fixed before initial release)
CVE-2011-4924
	- zope2.12 2.12.22-1
CVE-2011-4919 [mpack info disclosure]
	- mpack 1.6-8 (low; bug #655971)
CVE-2011-4917
	- linux-2.6 <unfixed> (unimportant)
CVE-2011-4915
	- linux-2.6 <unfixed> (unimportant)
CVE-2011-4912
	NOT-FOR-US: Joomla
CVE-2011-4908
	NOT-FOR-US: Joomla
CVE-2011-4907
	NOT-FOR-US: Joomla
CVE-2011-4906
	NOT-FOR-US: Joomla
CVE-2011-4904
	{DSA-2289-1}
CVE-2011-4903
	{DSA-2289-1}
CVE-2011-4902
	{DSA-2289-1}
CVE-2011-4901
	{DSA-2289-1}
CVE-2011-4900
	{DSA-2289-1}
CVE-2011-4632
	{DSA-2289-1}
CVE-2011-4631
	{DSA-2289-1}
CVE-2011-4630
	{DSA-2289-1}
CVE-2011-4629
	{DSA-2289-1}
CVE-2011-4628
	{DSA-2289-1}
CVE-2011-4627
	{DSA-2289-1}
CVE-2011-4626
	{DSA-2289-1}
CVE-2011-4625 [simplesamlphp xml encryption issues]
	{DSA-2330-1}
CVE-2011-4624
	NOT-FOR-US: WordPress flash-album-gallery
CVE-2011-4613 [X launcher permission bypass]
	{DSA-2364-1}
CVE-2011-4610
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2011-4600
	- libvirt 0.9.9-1 (low)
CVE-2011-4595
	NOT-FOR-US: WordPress pretty-link plugin
CVE-2011-4580
	NOT-FOR-US: JBoss Enterprise Portal Platform
CVE-2011-4573
	NOT-FOR-US: JBoss Operations Network
CVE-2011-4558
	- tikiwiki <removed>
CVE-2011-4455
	- tikiwiki <removed>
CVE-2011-4454
	- tikiwiki <removed>
CVE-2011-4407 [apt-add-repository does not perform ssl verification where it *needs* to]
	- software-properties 0.76.7debian2+nmu2
CVE-2011-4406
	- accountsservice 0.6.15-3
CVE-2011-4366
	NOT-FOR-US: ** REJECT ** duplicate of CVE-2011-4090
CVE-2011-4365
	NOTE: duplicate of CVE-2011-4090
CVE-2011-4350
	- yaws 1.91-2 (bug #650009)
CVE-2011-4343
	NOT-FOR-US: Apache MyFaces
CVE-2011-4338
	NOT-FOR-US: Arch-Linux specific tool
CVE-2011-4336
	NOT-FOR-US: Tiki Wiki
CVE-2011-4334
	NOT-FOR-US: LabWiki
CVE-2011-4333
	NOT-FOR-US: LabWiki
CVE-2011-4327
	- openssh <not-affected> (Only affects platforms w/o /dev/random)
CVE-2011-4322
	NOT-FOR-US: websitebaker
CVE-2011-4310
	- cmsms <itp> (bug #608888)
CVE-2011-4195
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4193
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4192
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4121
	- ruby1.9.1 <not-affected> (Only affected trunk versions)
CVE-2011-4120 [authentication bypass by pressing ctrl-d]
	- yubico-pam 2.10-1
CVE-2011-4117
	NOT-FOR-US: perl Batch::BatchRun CPAN module
CVE-2011-4116
	- perl <unfixed> (unimportant)
CVE-2011-4115
	- libparallel-forkmanager-perl <not-affected> (issue introduced in 0.7.6 upstream, never in Debian)
CVE-2011-4111
	- qemu 0.15.1+dfsg-2
CVE-2011-4104
	- django-tastypie 0.9.10-1 (bug #647314)
CVE-2011-4103 [YAML deserialization vulnerability in Piston framework]
	{DSA-2344-1}
CVE-2011-4099
	- libcap2 1:2.22-1 (low)
CVE-2011-4095
	NOT-FOR-US: Jara
CVE-2011-4094
	NOT-FOR-US: Jara
CVE-2011-4093
	- net6 1:1.3.14-1 (low; bug #647318)
CVE-2011-4092
	- obby <unfixed> (low; bug #647317)
CVE-2011-4091
	[squeeze] - net6 <no-dsa> (Minor issue)
CVE-2011-4090 [serendipity before 1.6 backend XSS in karma plugin]
	- serendipity <removed> (bug #650937)
CVE-2011-4089
	- bzip2 1.0.6-1 (low; bug #632862)
CVE-2011-4088
	NOT-FOR-US: abrt/libreport
CVE-2011-4083
	NOT-FOR-US: RedHat sos
CVE-2011-4082
	- phpldapadmin 0.9.8-1
CVE-2011-3923
	- libstruts1.2-java <not-affected> (Only affects 2.x)
CVE-2011-3642 [flowplayer-core: Arbitrary plugins with remote code execution (XSS)]
	- mahara <removed> (low; bug #699230)
CVE-2011-3634
	- apt 0.8.11 (low)
CVE-2011-3632 [hardlink has buffer overflows, is unsafe on changing trees]
	- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3631 [hardlink has buffer overflows, is unsafe on changing trees]
	- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3630 [hardlink has buffer overflows, is unsafe on changing trees]
	- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3629
	NOT-FOR-US: Joomla
CVE-2011-3628
	- pam 1.1.3-7 (low; bug #670076)
CVE-2011-3625 [mplayer SAMI subtitle parsing buffer overflow]
	- mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bug #645987)
CVE-2011-3624
	- ruby1.8 <unfixed> (low; bug #646020)
CVE-2011-3623 [media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers]
	- vlc 1.1.3-1
CVE-2011-3622
	NOT-FOR-US: phorum
CVE-2011-3621
	NOT-FOR-US: fluxbb
CVE-2011-3618 [atop insecure tempfile handling]
	- atop 1.23-1.1 (low; bug #622794)
CVE-2011-3617 [tahoe-lafs: an unauthorized user can delete files]
	- tahoe-lafs 1.8.3-1 (bug #641540)
CVE-2011-3614 [vanilla plugin access control]
	NOT-FOR-US: Vanilla Forums
CVE-2011-3613 [vanilla forums cookie theft]
	NOT-FOR-US: Vanilla Forums
CVE-2011-3612 [HTB22913: Multiple CSRF in UseBB]
	NOT-FOR-US: UseBB
CVE-2011-3611 [HTB22914: Local File Inclusion in UseBB]
	NOT-FOR-US: UseBB
CVE-2011-3610 [serendipity freetag plugin before 3.30 and probably others]
	NOT-FOR-US: Serendipity plugin
CVE-2011-3609 [CSRF in the JBoss AS 7 administration console & HTTP management API]
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2011-3606 [DOM based XSS in the JBoss AS 7 administration console]
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2011-3605
	{DSA-2323-1}
CVE-2011-3604
	{DSA-2323-1}
CVE-2011-3603
	NOTE: http://seclists.org/oss-sec/2011/q4/30
CVE-2011-3602
	{DSA-2323-1}
CVE-2011-3601
	{DSA-2323-1}
CVE-2011-3600
	- libxmlrpc3-java 3.1.3-1 (low)
CVE-2011-3596
	- polipo 1.0.4.1-1.2 (bug #644289)
CVE-2011-3595
	- joomla <itp> (bug #571794)
CVE-2011-3592 [phpMyAdmin did not properly sanitize the content of db, table, and column names prior use of their values.]
	- phpmyadmin 4:3.4.5-1
CVE-2011-3591 [PMASA-2011-14 XSS]
	- phpmyadmin 4:3.4.5-1
CVE-2011-3590 [mkdumprd utility created the final initial ramdisk image with...]
	- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3589 [mkdumprd utility copied content of certain directories into newly...]
	- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3588 [kdump/mkdumprd: the default value of "StrictHostKeyChecking=no"]
	- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3586
	NOTE: Dupe of CVE-2011-3504, to be rejected
CVE-2011-3585
	- samba 2:3.4.7~dfsg-2 (low)
CVE-2011-3584 [TYPO3-SA-2011-003]
	- typo3-src 4.5.6+dfsg1-1 (low; bug #641683)
CVE-2011-3583 [TYPO3-SA-2011-002]
	- typo3-src 4.5.6+dfsg1-1 (low; bug #641682)
CVE-2011-3582
	NOT-FOR-US: Advanced Electron Forums
CVE-2011-3350 [masqmail improper privilege dropping]
	- masqmail 0.2.30-1 (low; bug #638002)
CVE-2011-3377 [IcedTea browser plugin Same Origin Policy suffix issue]
	{DSA-2420-1}
CVE-2011-3374 [apt-key insecure validation]
	- apt <unfixed> (unimportant; bug #642480)
CVE-2011-3373
	NOT-FOR-US: Views Bulk Operations module for Drupal
CVE-2011-3370
	- statusnet <itp> (bug #491723)
CVE-2011-3355
	- evolution-data-server3 3.2.1-1 (bug #641052)
CVE-2011-3352
	NOT-FOR-US: Zikula
CVE-2011-3351
	- openvas-scanner <unfixed> (bug #641327; low)
CVE-2011-3349 [lightdm denial of service]
	- lightdm 0.9.6-1 (bug #639151)
CVE-2011-3346
	- qemu-kvm 0.15.1+dfsg-1 (bug #646118)
CVE-2011-3344
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-3203 [Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution]
	NOT-FOR-US: Jcow
CVE-2011-3202 [Jcow CMS 4.2 <= | Cross Site Scripting]
	NOT-FOR-US: Jcow
CVE-2011-3199
	{DSA-2365-1}
CVE-2011-3198
	{DSA-2365-1}
CVE-2011-3197
	{DSA-2365-1}
CVE-2011-3196
	{DSA-2365-1}
CVE-2011-3195
	{DSA-2365-1}
CVE-2011-3183
	NOT-FOR-US: Concrete CMS
CVE-2011-3180
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-3154
	- update-manager <not-affected> (ubuntu-specific issue)
CVE-2011-3153
	- lightdm 1.0.6-2
CVE-2011-3152
	- update-manager <not-affected> (ubuntu-specific issue)
CVE-2011-3145
	{DSA-2382-1}
CVE-2011-2941
	NOT-FOR-US: JBoss Enterprise Portal Platform
CVE-2011-2936
	- elgg <itp> (bug #526197)
CVE-2011-2935
	- elgg <itp> (bug #526197)
CVE-2011-2934
	NOT-FOR-US: WebsiteBaker
CVE-2011-2933
	NOT-FOR-US: WebsiteBaker
CVE-2011-2927
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2924
	- foomatic-filters 4.0.12-1 (low)
CVE-2011-2923
	- foomatic-filters <unfixed> (unimportant)
CVE-2011-2922
	- ktsuss <removed>
CVE-2011-2921
	- ktsuss <removed>
CVE-2011-2920
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2919
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2916
	- qtnx <removed> (low; bug #637439)
CVE-2011-2910
	- ax25-tools 0.0.8-13.2 (low; bug #638198)
CVE-2011-2909
	{DSA-2303-1}
CVE-2011-2902 [xpdf: insecure tempfile usage]
	- xpdf 3.02-19 (low; bug #635849)
CVE-2011-2897
	- gdk-pixbuf <not-affected> (This only applies to the old standalone copy shipped until Lenny)
CVE-2011-2765 [pyro: insecure use of temporary pid file]
	- pyro 1:3.14-1 (low; bug #631912)
CVE-2011-2727
	NOT-FOR-US: Tribiq CMS
CVE-2011-2726 [SA-CORE-2011-003]
	- drupal7 7.6-1
CVE-2011-2725 [ark directory traversal]
	- kdeutils 4:4.6.5-4 (low; bug #635541)
CVE-2011-2717
	NOT-FOR-US: udhcp6c
CVE-2011-2715
	NOT-FOR-US: Drupal data module
CVE-2011-2714
	NOT-FOR-US: Drupal data module
CVE-2011-2706
	NOT-FOR-US: sNews
CVE-2011-2702 [eglibc signedness vulnerability in ssse3 optimizations]
	- eglibc 2.13-10
CVE-2011-2684
	- foo2zjs 20110722dfsg-1 (low; bug #633870)
CVE-2011-2683
	- reseed <removed>
CVE-2011-2538
	- plone3 <removed>
CVE-2011-2523
	- vsftpd <not-affected> (backdoored version was never in the Debian archive)
CVE-2011-2515
	- packagekit 0.6.17-1
CVE-2011-2514
	- openjdk-6 6b21~pre1-1
CVE-2011-2513
	- openjdk-6 6b21~pre1-1
CVE-2011-2500
	- nfs-utils 1:1.2.4-1 (bug #633155)
CVE-2011-2499
	NOT-FOR-US: Mambo CMS
CVE-2011-2498
	- linux-2.6 2.6.39-1 (low)
CVE-2011-2487
	NOT-FOR-US: Apache CXF
CVE-2011-2480 [kfreebsd info disclosure]
	- kfreebsd-9 9.0~svn223502-1 (bug #631160)
CVE-2011-2207
	- dirmngr <unfixed> (unimportant; bug #627377)
CVE-2011-2187
	- xscreensaver 5.14-1 (bug #627382)
CVE-2011-2186
	NOTE: Disputed gitweb non-issue: https://bugzilla.redhat.com/show_bug.cgi?id=713298
CVE-2011-2177
	- libreoffice <undetermined>
CVE-2011-2198 [vte memory exhaustion]
	- vte 1:0.28.1-1 (low; bug #629688)
CVE-2011-2054
	NOT-FOR-US: ** REJECT ** CVE-2011-2054 misused as CVE-2011-2524
CVE-2011-1939
	- zendframework 1.11.6-1 (low)
CVE-2011-1935 [packet truncation in libpcap]
	- libpcap 1.1.1-4 (low; bug #623868)
CVE-2011-1934 [lilo: lilo.conf world-readable]
	- lilo 23.1-2 (low; bug #615103)
CVE-2011-1933
	- libjifty-dbi-perl 0.68-1 (low; bug #622919)
CVE-2011-1930
	- klibc 1.5.22-1 (low)
CVE-2011-1837
	{DSA-2382-1}
CVE-2011-1836
	- ecryptfs-utils 92-1
CVE-2011-1835
	{DSA-2382-1}
CVE-2011-1834
	{DSA-2382-1}
CVE-2011-1832
	{DSA-2382-1}
CVE-2011-1831
	{DSA-2382-1}
CVE-2011-1798
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1796
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1795
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1794
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1793
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1773
	NOT-FOR-US: virt-v2v
CVE-2011-1749 [nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE]
	- nfs-utils 1:1.2.3-3 (low; bug #629420)
CVE-2011-1597
	NOT-FOR-US: OpenVAS Manager
CVE-2011-1596
	NOT-FOR-US: ** REJECT ** (regular bug in gnome-screensaver-dialog)
CVE-2011-1594
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-1588
	- thunar <not-affected> (Introduced in 1.2, only in experimental)
CVE-2011-1490
	- rsyslog 5.7.6-1 (low)
CVE-2011-1489
	- rsyslog 5.7.6-1 (low)
CVE-2011-1488
	- rsyslog 5.7.6-1 (low)
CVE-2011-1474
	NOT-FOR-US: PaX hardening patch
CVE-2011-1408 [ikiwiki tty hijacking vulnerability]
	- ikiwiki 3.20110608 (low)
CVE-2011-1151
	NOT-FOR-US: Joomla!
CVE-2011-1150
	NOT-FOR-US: bbPress
CVE-2011-1145 [buffer overflow in unixODBC's SQLDriverConnect()]
	- unixodbc 2.2.14p2-3 (low; bug #617655)
CVE-2011-1086
	NOT-FOR-US: openfiler
CVE-2011-1085
	NOT-FOR-US: smoothwall
CVE-2011-1084
	NOT-FOR-US: smoothwall
CVE-2011-1070
	- v86d 0.1.10-1 (low; bug #619404)
CVE-2011-1069
	NOT-FOR-US: PHPShop
CVE-2011-1028
	- smarty3 3.0.8-1
CVE-2011-1009
	NOT-FOR-US: Vanilla Forums
CVE-2011-1133 [xinha XSS mode param]
	- serendipity <removed> (bug #611661)
CVE-2011-1134 [xinha XSS image manager]
	- serendipity <removed> (bug #611661)
CVE-2011-1135 [xinha multiple vulns]
	- serendipity <removed> (bug #611661)
CVE-2011-1136 [tesseract tempfile]
	- tesseract 2.04-2.1 (low; bug #612032)
CVE-2011-0705 [path traversal in SimpleHTTPServer]
	NOTE: Will be rejected
CVE-2011-0704
	NOT-FOR-US: 389 Directory Server
CVE-2011-0703
	- gksu-polkit <removed> (bug #684489)
CVE-2011-0699
	- linux-2.6 2.6.37-2
CVE-2011-0544
	- phpbb3 3.0.7-PL1-5 (low; bug #612477)
CVE-2011-0529
	- weborf 0.12.5-1
CVE-2011-0528
	- puppet 2.6.2-3
CVE-2011-0525
	NOT-FOR-US: Batavi
CVE-2011-0460
	- kbd <not-affected> (SUSE-specific)
CVE-2011-0428
	- ikiwiki 3.20110122
CVE-2011-0068
	- xulrunner <not-affected> (Only affects Firefox 4.0, not yet in unstable)
-------------- next part --------------
CVE-2012-6619 [MongoDB memory over-read via incorrect BSON object length]
	- mongodb 1:2.4.1-1
CVE-2012-6110 [bcron file descriptors not closed]
	- bcron 0.09-13 (low; bug #686650)
CVE-2012-6345
	NOT-FOR-US: CyberArk Vault
CVE-2012-6344
	NOT-FOR-US: CyberArk Vault
CVE-2012-6342
	NOT-FOR-US: Atlassian Confluence
CVE-2012-6146 [Backend History Module Information Disclosure]
	{DSA-2574-1}
CVE-2012-6143 [Storable::thaw called on untrusted inputs]
	- libspoon-perl <unfixed> (bug #715371; low)
CVE-2012-6142 [Storable::thaw called on untrusted inputs]
	NOT-FOR-US: HTML-EP CPAN module
CVE-2012-6141 [Storable::thaw called on untrusted inputs]
	NOT-FOR-US: App-Context CPAN module
CVE-2012-6136
	NOT-FOR-US: tuned (RH-specific powersaving tool)
CVE-2012-6135
	- ruby-passenger <not-affected> (Vulnerable code not present; bug #702219)
CVE-2012-6133 [XSS flaws in ok and error messages]
	- roundup 1.4.20-1
CVE-2012-6132 [XSS flaw with the otk parameter]
	- roundup 1.4.20-1
CVE-2012-6131 [XSS flaw in @action parameter]
	- roundup 1.4.20-1
CVE-2012-6130 [XSS vulnerability when usernames contain HTML]
	- roundup 1.4.20-1
CVE-2012-6125
	- chicken 4.8.0-1 (low; bug #702410)
CVE-2012-6124
	- chicken 4.8.0-1 (low; bug #702410)
CVE-2012-6123
	- chicken 4.8.0-1 (low; bug #702410)
CVE-2012-6122
	- chicken 4.8.0.3-1 (low; bug #702410)
CVE-2012-6114 [temp file vulnerability in git-extras]
	- git-extras 1.7.0-1.2 (bug #698490)
CVE-2012-6111 [gnome-keyring does not discard stored secrets in some cases]
	- gnome-keyring 3.8.2-1 (low; bug #697896)
CVE-2012-6108 [default permissions for /var/log/hp are too open]
	- hplip <not-affected> (permissions are 755 on wheezy, sid and experimental)
CVE-2012-6107 [Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate]
	- axis2c <unfixed> (bug #697974)
CVE-2012-6094
	- cups <not-affected> (systemd patch not applied in Debian, see bug #697584)
CVE-2012-6086 [zabbix insecure curl usage]
	- zabbix 1:2.0.7+dfsg-1 (bug #697443)
CVE-2012-6083
	- freeciv 2.3.4-1 (low; bug #696306)
CVE-2012-6079
	NOT-FOR-US: W3 Total Cache
CVE-2012-6078
	NOT-FOR-US: W3 Total Cache
CVE-2012-6077
	NOT-FOR-US: W3 Total Cache
CVE-2012-6071 [libnusoap-php: Curl insecure usage]
	- nusoap 0.7.3-5 (low; bug #696707)
CVE-2012-6070 [falconpl: Curl insecure usage]
	- falconpl 0.9.6.9-git20120606-2 (bug #696681)
CVE-2012-5844
	- openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
CVE-2012-5663
	NOT-FOR-US: Isearch
CVE-2012-5662
	- ibm-3270 <unfixed> (bug #706547)
CVE-2012-5650 [DOM based XSS via Futon UI]
	- couchdb 1.2.0-5 (bug #698439)
CVE-2012-5649 [JSONP arbitrary code execution with Adobe Flash]
	- couchdb 1.2.0-5 (bug #698439)
CVE-2012-5645
	- freeciv 2.3.4-1 (low; bug #696306)
CVE-2012-5644 [(Complete) Information disclosure when moving user's home directory]
	- libuser <unfixed> (low; bug #705690)
CVE-2012-5641
	- couchdb <not-affected> (Only affects CouchDB on Windows)
CVE-2012-5640 [thttpd: Local DoS vulnerability]
	- thttpd <removed> (low)
CVE-2012-5639
	- libreoffice <unfixed> (unimportant)
CVE-2012-5631
	NOT-FOR-US: FreeIPA
CVE-2012-5630 [TOCTOU race conditions by copying and removing directory trees]
	- libuser <unfixed> (low; bug #705690)
CVE-2012-5628
	NOT-FOR-US: gofer component of PULP project
CVE-2012-5623
	NOT-FOR-US: change_passwd plugin for Squirrelmail
CVE-2012-5621 [Ekiga (x < 4.0.0): DoS (crash) after receiving call from other party with not UTF-8 valid name]
	- ekiga 3.2.7-6 (bug #702282; low)
CVE-2012-5620
	NOT-FOR-US: Docecot non-issue, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695138#15
CVE-2012-5619
	- sleuthkit <unfixed> (unimportant; bug #695097)
CVE-2012-5618
	NOT-FOR-US: Ushahidi
CVE-2012-5617 [privilege escalation due to improper authentication settings in policykit configuration file]
	- gksu-polkit <removed> (bug #695807)
CVE-2012-5583 [phpcas curl usage]
	- php-cas 1.3.1-2
CVE-2012-5582 [opendnssec curl usage]
	- opendnssec <not-affected> (eppclient not built in Debian package)
CVE-2012-5580 [libproxy: format string issue]
	- libproxy 0.3.1-4 (low)
CVE-2012-5578 [Python keyring insecure permissions on new databases]
	- python-keyring 0.9.2-1.1 (bug #696736)
CVE-2012-5577 [Python keyring insecure permissions on migrated files]
	- python-keyring 0.9.2-1.1 (bug #696736)
CVE-2012-5572 [Dancer::Cookie: Cookie name CRLF injection]
	- libdancer-perl 1.3114+dfsg-1 (low; bug #694279)
CVE-2012-5567
	- kronolith2 <not-affected> (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid)
CVE-2012-5566
	- kronolith2 <not-affected> (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid)
CVE-2012-5565
	NOT-FOR-US: This doesn't seem to be packaged in sid's Horde and the imp3 and dimp1 packages from stable do not include the affected code
CVE-2012-5560
	NOT-FOR-US: MATE gnome fork
CVE-2012-5535
	- gnome-system-log <not-affected> (Fedora-specific issue)
CVE-2012-5527
	- claws-mail-extra-plugins 3.8.1-2 (unimportant; bug #693391)
CVE-2012-5524
	- gajim 0.15.4-1 (low; bug #693282)
CVE-2012-5521
	- quagga <unfixed> (unimportant; bug #693102)
CVE-2012-5518
	NOT-FOR-US: ovirt / vsdm
CVE-2012-5508 [ Zope/Plone: PRNG isn't reseeded]
	- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5507 [ Zope/Plone: Timing attack in password validation ]
	- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5506 [ Zope/Plone: DoS through RSS on private folder ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5505 [ Zope/Plone: Attempting to access a view with no name returns an internal data structure ]
	- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5504 [ Zope/Plone: Persistent XSS ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5503 [ Zope/Plone: Users connected through FTP can list hidden folder contents ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5502 [ Zope/Plone: Persistent XSS via filtering bypass ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5501 [ Zope/Plone: Crafted URL allows downloading of BLOBs that are not visible to the user ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5500 [ Zope/Plone: Anonymous users can batch change titles of content items ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5499 [ Zope/Plone: Partial denial of service through internal function ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5498 [ Zope/Plone: Partial denial of service through Collections functionality ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5497 [ Zope/Plone: Anonymous users can list user account names ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5496 [ Zope/Plone: DoS through unsanitised inputs into Kupu ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5495 [ Zope/Plone: Restricted Python injection ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5494 [ Zope/Plone: Reflexive XSS ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5493 [ Zope/Plone: Restricted Python sandbox escape ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5492 [ Zope/Plone: Partial permissions bypass ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5491 [ Zope/Plone: Form detail exposure ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5490 [ Zope/Plone: Reflexive XSS ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5489 [ Zope/Plone: Partial restricted Python sandbox escape ]
	- zope2.12 <unfixed> (bug #692899)
CVE-2012-5488 [ Zope/Plone: Restricted Python injection ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5487 [ Zope/Plone: Restricted Python sandbox escape ]
	- zope2.12 <unfixed> (unimportant; bug #692899)
CVE-2012-5486 [ Zope/Plone: Reflexive HTTP header injection ]
	- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5485 [ Restricted Python injection ]
	NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5476
	- horizon <not-affected> (File is installed with 0700 perms in Debian)
CVE-2012-5474
	- horizon 2012.1.1-7
CVE-2012-5395
	NOT-FOR-US: Mediawiki extension CentralAuth
CVE-2012-5391
	- mediawiki 1:1.19.3-1 (bug #694998)
CVE-2012-5390 [Possible privilege escalation]
	- condor <not-affected> (standard universe is disabled in the Debian package, see bug #697936)
CVE-2012-5366
	NOT-FOR-US: Mac OS X
CVE-2012-5365
	- kfreebsd-8 <removed> (low; bug #690986)
CVE-2012-5364
	NOT-FOR-US: Microsoft Windows
CVE-2012-5363
	- kfreebsd-8 <removed> (low; bug #690986)
CVE-2012-5362
	NOT-FOR-US: Microsoft Windows
CVE-2012-5361
	- ffmpeg <removed>
CVE-2012-5360
	- ffmpeg <removed>
CVE-2012-5359
	- ffmpeg <removed>
CVE-2012-5241
	NOT-FOR-US: PEAR module for Twitter
CVE-2012-5236 [Admin can decrypt user files]
	- owncloud <unfixed> (low)
CVE-2012-4410
	NOTE: to be rejected
CVE-2012-4576 [freebsd privilege escalation]
	- kfreebsd-8 8.3-6 (bug #694096)
CVE-2012-4570 [sql injection]
	- php-letodms-core 3.3.8-1
CVE-2012-4569 [multiple xss in 3.3.9]
	- letodms 3.3.9+dfsg-1
CVE-2012-4568 [csrf]
	- letodms 3.3.9+dfsg-1
CVE-2012-4567 [multiple xss in 3.3.8]
	- letodms 3.3.9+dfsg-1
CVE-2012-4526 [XSS in password.php, incomplete fix for CVE-2012-4525]
	- piwigo <not-affected> (incomplete fix not applied to Debian package)
CVE-2012-4525 [XSS in password.php]
	- piwigo <removed>
CVE-2012-4524 [xlockmore bypass]
	- xlockmore <removed> (low)
CVE-2012-4519
	NOT-FOR-US: Zenphoto
CVE-2012-4512
	- kdebase <removed> (unimportant)
CVE-2012-4480
	NOT-FOR-US: mom
CVE-2012-4451 [php-ZendFramework: XSS vectors in multiple Zend Framework components ZF2012-03]
	- zendframework <not-affected> (Vulnerable code introduced in 2.x, #688946)
CVE-2012-4441 [jenkins XSS in CI game plugin]
	- jenkins <not-affected> (Plugin not built in Debian source package)
CVE-2012-4440 [jenkins XSS in Violations plugin]
	- jenkins <not-affected> (Plugin not built in Debian source package)
CVE-2012-4439 [jenkins XSS]
	- jenkins 1.447.2+dfsg-2 (bug #688298)
CVE-2012-4438 [jenkins remote code execution]
	- jenkins 1.447.2+dfsg-2 (bug #688298)
CVE-2012-4434 [fwknop 2.0.3: multiple DoS / code execution flaw]
	- fwknop 2.0.3-1 (bug #688151)
CVE-2012-4428
	- openslp-dfsg <unfixed> (bug #687597; low)
CVE-2012-4420 [Duplicate of CVE-2012-4416]
	NOT-FOR-US: Duplicate of CVE-2012-4416
CVE-2012-4385 [letodms CSRF]
	- letodms 3.3.7+dfsg-1 (bug #689664)
CVE-2012-4384 [letodms XSS]
	- letodms 3.3.7+dfsg-1 (bug #689664)
CVE-2012-4383
	NOT-FOR-US: Contao
CVE-2012-4382 [Info leak in user blocks]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4381 [Passwords were stored in local DB even if auth systems like LDAP were used]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4380 [Insufficient API for account creation block]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4379 [CSRF]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4378 [DOM-based XSS]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4377 [[mediawiki stored XSS]
	- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-3543
	- mono 2.10.8.1-7 (bug #686562)
CVE-2012-3522 [geshi XSS in contrib/langwiz.php]
	- geshi <not-affected> (Vulnerable code not present, see bug #685323)
CVE-2012-3521 [geshi information disclosure in contrib/cssgen.php]
	- geshi 1.0.8.4-2 (bug #685324)
CVE-2012-3490
	- condor 7.8.2~dfsg.1-1+deb7u1 (bug #688210)
CVE-2012-3427
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2012-3415
	- plpupload <itp> (bug #668396)
CVE-2012-3409
	- ecryptfs-utils 99-1 (bug #682220)
CVE-2012-3407
	NOT-FOR-US: plow
CVE-2012-3406 [glibc formatted printing vulnerabilities]
	- eglibc <unfixed> (low; bug #681888)
CVE-2012-3405 [glibc formatted printing vulnerabilities]
	- eglibc 2.13-35 (low; bug #681473)
CVE-2012-3404 [glibc formatted printing vulnerabilities]
	- eglibc 2.13-35 (low; bug #681473)
CVE-2012-3359
	NOT-FOR-US: Red Hat Conga
CVE-2012-2979 [VU#517036: NSD 3.2.13 emergency release]
	- nsd3 <not-affected> (Debian version not affected)
CVE-2012-2945
	- hadoop <itp> (bug #535861)
CVE-2012-2736 [NetworkManager: creating new WPA-secured wireless network results in insecure network being created instead]
	- network-manager 0.9.4.0-1 (low; bug #655972)
CVE-2012-2724
	NOT-FOR-US: Drupal module
CVE-2012-2714
	NOT-FOR-US: Drupal module
CVE-2012-2663
	- iptables <unfixed> (unimportant; bug #675445)
CVE-2012-2656 [XXE vulnerability in Restlet]
	- restlet <itp> (bug #596472)
CVE-2012-2350 [pam_shield default configuration does not take any action]
	- pam-shield 0.9.2-3.3 (low; bug #658830)
CVE-2012-2328
	NOT-FOR-US: sblim
CVE-2012-2312
	- jbossas4 <not-affected> (Only affects JBoss 7)
CVE-2012-2301 [Drupal SA-CONTRIB-2012-064 - Ubercart - Arbitrary PHP Execution]
	NOT-FOR-US: Drupal addon not packaged
CVE-2012-2250
	- tor 0.2.3.24-rc-1 (low)
CVE-2012-2249
	- tor 0.2.3.23-rc-1 (low)
CVE-2012-2248 [build-influenced PATH set in dhclient]
	- isc-dhcp 4.2.4-3 (bug #690532)
CVE-2012-2238
	- tryton-server <not-affected> (only affected 2.4, in experimental)
CVE-2012-2237
	{DSA-2540-1}
CVE-2012-2095 [wicd command execution with root privileges]
	- wicd 1.7.2.4-1 (low; bug #668397)
CVE-2012-2148
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2012-2142 [Insufficient sanitization of escape sequences in the error message]
	- xpdf <not-affected> (uses poppler's Error.cc)
CVE-2012-2134
	NOT-FOR-US: Dynamic LDAP backend plugin for BIND
CVE-2012-2130
	- polarssl 1.1.2-1
CVE-2012-2108
	- csound 1:5.17.6~dfsg-1 (low; bug #661197)
CVE-2012-2107
	- csound 1:5.17.6~dfsg-1 (bug #661197)
CVE-2012-2106
	- csound 1:5.17.6~dfsg-1 (bug #661197)
CVE-2012-2092
	- cobbler <itp> (bug #545583)
CVE-2012-2079
	NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-2078
	NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-1637
	NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-1622
	NOT-FOR-US: Apache OFBiz
CVE-2012-1621
	NOT-FOR-US: Apache OFBiz
CVE-2012-1615 [sectool dbus priv escalation]
	NOT-FOR-US: sectool
CVE-2012-1600 [XSS from 5.0.4 release]
	- phppgadmin 5.0.4-1
CVE-2012-1592
	- libstruts1.2-java <not-affected> (Only applies to Struts 2, see bug #657870)
CVE-2012-1577
	- dietlibc 0.33~cvs20120325-1 (unimportant)
CVE-2012-1572
	- keystone 2012.1~rc2-1
CVE-2012-1567
	NOT-FOR-US: LinuxMint
CVE-2012-1566
	NOT-FOR-US: LinuxMint
CVE-2012-1563
	- joomla <itp> (bug #571794)
CVE-2012-1562
	- joomla <itp> (bug #571794)
CVE-2012-1561
	NOT-FOR-US: Drupal Finder
CVE-2012-1102 [XML::Atom Perl module XML entity expansion]
	{DSA-2424-1}
CVE-2012-1301
	NOT-FOR-US: Umbraco
CVE-2012-1257
	- pidgin <unfixed> (unimportant)
CVE-2012-1187
	- bitlbee 3.0.4+bzr855-1 (low)
CVE-2012-1171 [safemode bypass after RSHUTDOWN]
	- php5 <unfixed> (unimportant)
CVE-2012-1170
	- moodle <not-affected> (Only affects 2.2)
CVE-2012-1169
	- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1168
	- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1166 [ldm (LTSP display manager)]
	- ldm  2:2.2.7-1 (bug #663645)
CVE-2012-1161
	- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1160
	- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1159
	- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1158
	- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1157
	- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1156
	- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1155
	- moodle 1.9.9.dfsg2-6 (low; bug #668411)
CVE-2012-1124
	NOT-FOR-US: phxEventManager not in Debian
CVE-2012-1115
	- phpldapadmin 1.2.2-3 (low; bug #662050)
CVE-2012-1114
	- phpldapadmin 1.2.2-3 (low; bug #662050)
CVE-2012-1111
	- lightdm 1.0.9-1 (bug #658678)
CVE-2012-1109
	NOT-FOR-US: mwlib not in Debian
CVE-2012-1105
	- moodle 2.2.7.dfsg-1 (low; bug #662945)
CVE-2012-1104
	- moodle 2.2.7.dfsg-1 (low; bug #662945)
CVE-2012-1101
	- systemd 43-1 (bug #662029)
CVE-2012-1100
	NOT-FOR-US: JBoss Operations Network
CVE-2012-1096
	- network-manager <unfixed> (low; bug #684259)
CVE-2012-1095
	- osc <unfixed> (unimportant)
CVE-2012-1094
	NOT-FOR-US: mod_cluster
CVE-2012-1093 [init script x11-common creates directories in insecure manner]
	- xorg 1:7.6+12 (bug #661627)
CVE-2012-1088
	- iproute 20120319-1 (unimportant)
CVE-2012-0943
	- lightdm <not-affected> (Ubuntu-specific script)
CVE-2012-0875 [systemtap invalid read leading to kernel DoS]
	- systemtap 1.7-1 (low; bug #660929; bug #660886)
CVE-2012-0871
	- systemd 43-1
CVE-2012-0844
	- netsurf 2.8-2 (bug #659376)
CVE-2012-0843
	- uzbl 0.0.0~git.20111128-2 (bug #659379)
CVE-2012-0842 [surf info leak]
	- surf 0.4.1-6 (bug #659296)
CVE-2012-0828
	- xchat <not-affected> (Only affects Xchat on Windows and Maemo)
CVE-2012-0824
	- gnusound <removed> (low; bug #654270)
CVE-2012-0812 [PostfixAdmin 2.3.4 multiple XSS vulnerabilities]
	- postfixadmin 2.3.5-1
CVE-2012-0811 [PostfixAdmin 2.3.4 multiple SQL vulnerabilities]
	- postfixadmin 2.3.5-1
CVE-2012-0810
	- linux-2.6 3.2.16-1 (bug #672660)
CVE-2012-0803
	NOT-FOR-US: Apache CXF
CVE-2012-0694 [SugarCRM CE unserialize PHP code execution in multiple files]
	- sugarcrm-ce-5.0 <itp> (bug #457876)
CVE-2012-0270 [csound buffer overflows]
	- csound 1:5.16.6~dfsg-1 (low; bug #661197)
CVE-2012-0214 [apt would still trust repository when old InRelease file present]
	- apt 0.8.15.10
CVE-2012-0153
	NOT-FOR-US: Microsoft
CVE-2012-0140
	NOT-FOR-US: Microsoft
CVE-2012-0139
	NOT-FOR-US: Microsoft
CVE-2012-0785 [Jenkins and hash collision attack]
	- jenkins-winstone 0.9.10-jenkins-31+dfsg-1 (bug #655553)
CVE-2012-0070
	NOT-FOR-US: spamdyke not in Debian
CVE-2012-0064 [xorg screen lockers bypassed via key combo]
	- xorg-server 2:1.11.3.901-2 (high; bug #656410)
CVE-2012-0063
	- tucan <unfixed> (bug #656388)
CVE-2012-0062
	NOT-FOR-US: JBoss Operations Network
CVE-2012-0059
	NOT-FOR-US: RHN Satellite
CVE-2012-0055
	NOT-FOR-US: overlayfs is not (yet) in the Debian kernel
CVE-2012-0052
	NOT-FOR-US: JBoss Operations Network
CVE-2012-0051
	- tahoe-lafs <not-affected> (Only affects 1.9.0, not uploaded to the archive)
CVE-2012-0049
	{DSA-2524-1}
CVE-2012-0046 [mediawiki info leak]
	- mediawiki 1:1.15.5-6 (low; bug #655694)
CVE-2012-0033 [znc bouncedcc DoS]
	- znc 0.202-2
CVE-2012-0032
	NOT-FOR-US: JBoss Operations Network
-------------- next part --------------
CVE-2013-7303 [cross-site scripting]
	- spip 3.0.13-1 (bug #736170)
CVE-2013-7302
	NOT-FOR-US: Drupal contrib
CVE-2013-7301 [external network interface is used with no access control for reading queued music files]
	- cantata <not-affected> (Vulnerable code introduced with 1.2.0; bug #736154)
CVE-2013-7300 [absolute path traversal vulnerability]
	- cantata <not-affected> (Vulnerable code introduced with 1.2.0; bug #736154)
CVE-2013-7299 [tntnet: denial of service]
	- tntnet <unfixed> (low; bug #735881)
CVE-2013-7298 [cxxtools: denial of service]
	- cxxtools 2.2.1-1 (low; bug #735880)
CVE-2013-7296 [DoS]
	- poppler <not-affected> (Introduced in a3cee0e7e9dd292c70fe1fa19a92e70bbc1e1b41)
CVE-2013-7285 [remote code execution via deserialization in XStream]
	- libxstream-java <unfixed> (bug #734821)
CVE-2013-7284 [libplrpc-perl remote code execution due to Storable]
	- libplrpc-perl <unfixed> (high; bug #734789)
CVE-2013-7273 [no prompt anymore after login cancel using disable_user_list]
	- gdm3 <unfixed> (low; bug #683338)
CVE-2013-7259
	- neo4j-community <itp> (bug #685615)
CVE-2013-7252 [kwallet crypto misuse]
	- kde-runtime <unfixed>
CVE-2013-7172
	- libiodbc2 <not-affected> (RPATH issue slackware specific)
CVE-2013-7171
	- llvm-2.9 <not-affected> (RPATH issue slackware specific)
CVE-2013-7236
	NOT-FOR-US: Simple Machines Forum
CVE-2013-7235
	NOT-FOR-US: Simple Machines Forum
CVE-2013-7234
	NOT-FOR-US: Simple Machines Forum
CVE-2013-7221 [run command dialog visible above screen locker]
	- gnome-shell <unfixed>
CVE-2013-7220 [blind command execution via activities search keyboard focus]
	- gnome-shell <unfixed>
CVE-2013-7203
	- gitolite3 3.5.3.1-1
CVE-2013-7143
	- open-xchange <itp> (bug #269329)
CVE-2013-7142
	- open-xchange <itp> (bug #269329)
CVE-2013-7141
	- open-xchange <itp> (bug #269329)
CVE-2013-7140
	- open-xchange <itp> (bug #269329)
CVE-2013-7137
	NOT-FOR-US: Burden
CVE-2013-7135
	- libproc-daemon-perl 0.14-2 (low; bug #732283)
CVE-2013-7134
	NOT-FOR-US: Juvia
CVE-2013-7130 [Live migration can leak root disk into ephemeral storage]
	- nova <unfixed> (bug #736465)
CVE-2013-7111
	NOT-FOR-US: Bio Basespace SDK Ruby Gem
CVE-2013-7110
	- transifex-client <unfixed> (low)
CVE-2013-7066
	NOT-FOR-US: Drupal module
CVE-2013-7065
	NOT-FOR-US: Drupal module
CVE-2013-7064
	NOT-FOR-US: Drupal module
CVE-2013-7063
	NOT-FOR-US: Drupal module
CVE-2013-7034
	NOT-FOR-US: LiveZilla
CVE-2013-7033
	NOT-FOR-US: LiveZilla
CVE-2013-7032
	NOT-FOR-US: LiveZilla
CVE-2013-7089 [dbg_printhex possible information leak]
	- clamav 0.97.7+dfsg-1
CVE-2013-7088 [buffer overflow]
	- clamav 0.97.7+dfsg-1
CVE-2013-7087 [[clamav: WWPack corrupt heap memory]
	- clamav 0.97.7+dfsg-1
CVE-2013-7072
	NOT-FOR-US: Monitorix
CVE-2013-7071
	NOT-FOR-US: Monitorix
CVE-2013-7070
	NOT-FOR-US: Monitorix
CVE-2013-7062 [XSS]
	- zope2.12 <removed> (low)
CVE-2013-7061 [Privilege escalation through exposed underlying API]
	NOT-FOR-US: Plone
CVE-2013-7060 [Filesystem path information leak]
	NOT-FOR-US: Plone
CVE-2013-7048 [Nova live snapshots use an insecure local directory]
	- nova 2013.2.1-1 (bug #732022)
CVE-2013-7003
	NOT-FOR-US: LiveZilla
CVE-2013-7041 [pam_userdb: password hashes aren't compared case-sensitively]
	- pam <unfixed> (low; bug #731368)
CVE-2013-7040
	- python2.5 <removed> (low)
CVE-2013-6891 [lppasswd vulnerability]
	- cups 1.7.1-1
CVE-2013-6889 [Allows reading arbitrary files]
	- rush <unfixed> (bug #733505)
CVE-2013-6887
	- openjpeg <not-affected> (only affects 1.5, in experimental, see #731237)
CVE-2013-6880
	NOT-FOR-US: FlashCanvas
CVE-2013-6879
	NOT-FOR-US: MijoSearch
CVE-2013-6878
	NOT-FOR-US: MijoSearch
CVE-2013-6838
	NOT-FOR-US: IVR Pro/Contact Center (VIP2000)
CVE-2013-6806
	NOT-FOR-US: OpenText Exceed onDemand
CVE-2013-6788
	NOT-FOR-US: Bitrix Site Manager
CVE-2013-6766
	NOT-FOR-US: OpenVAS Administrator (only uploaded to exp 2.5 years ago)
CVE-2013-6765
	NOT-FOR-US: OpenVAS Manager (only uploaded to experimental 2.5 years ago)
CVE-2013-6472
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6461 [DoS while parsing XML entities]
	- ruby-nokogiri 1.6.1+ds-1 (bug #734836)
CVE-2013-6460 [DoS while parsing XML documents]
	- ruby-nokogiri 1.6.1+ds-1 (bug #734836)
CVE-2013-6458 [job usage issue in several APIs leading to libvirtd crash]
	{DSA-2846-1}
CVE-2013-6457 [avoid crashing if calling `virsh numatune' on inactive domain]
	- libvirt 1.2.1-1
CVE-2013-6456 [virsh shutdown does not handle symlinks correctly for LXC]
	- libvirt <unfixed> (bug #732394)
CVE-2013-6455
	- mediawiki <unfixed>
CVE-2013-6454
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6453
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6452
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6451
	- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6444 [failure to check certificate hostname]
	- pywbem <unfixed> (bug #732594)
CVE-2013-6441 [lxc: sshd template allow privilege escalation on host]
	- lxc <unfixed> (unimportant)
CVE-2013-6440 [XML eXternal Entity (XXE) flaw in ParserPool and Decrypter]
	- opensaml2 <not-affected> (Debian provides the C-based Shibboleth implementation)
CVE-2013-6437 [DoS through ephemeral disk backing files]
	- nova <unfixed>
CVE-2013-6430
	- libspring-java <unfixed> (bug #735420)
CVE-2013-6429
	- libspring-java <unfixed> (bug #735420)
CVE-2013-6418 [TOCTOU vulnerability in certificate validation]
	- pywbem <unfixed> (low; bug #732594)
CVE-2013-6413 [unrealircd: DoS, use after free]
	- unrealircd <itp> (bug #515130)
CVE-2013-6396 [does not properly verify the server SSL certificates]
	- python-swiftclient <unfixed> (bug #730626)
CVE-2013-6372
	- jenkins <not-affected> (Affected plugins are not shipped in Debian, bug #730457)
CVE-2013-6365 [CSRF edit.php]
	- php-horde 5.1.5+debian0-1 (bug #730110)
CVE-2013-6364 [XSS and CSRF search.php]
	- php-horde <not-affected> (Vulnerable code in turba)
CVE-2013-6275 [CSRF]
	- php-horde-ingo 3.1.3-1 (bug #727669)
CVE-2013-6242
	- open-xchange <itp> (bug #269329)
CVE-2013-6241
	- open-xchange <itp> (bug #269329)
CVE-2013-6236
	NOT-FOR-US: Stem Innovations IZON
CVE-2013-6223
	NOT-FOR-US: Livezilla
CVE-2013-6117
	NOT-FOR-US: Dahua DVR
CVE-2013-6167
	- iceweasel <unfixed> (unimportant)
CVE-2013-6166
	- chromium-browser 31.0.1650.57-1 (low)
CVE-2013-6053
	- openjpeg <not-affected> (only affects 1.5, in experimental, see #731237)
CVE-2013-6049 [insecure temporary file creation]
	- apt-listbugs 0.1.10 (low)
CVE-2013-6047 [XSS in site creation interface]
	- ikiwiki-hosting 0.20131025
CVE-2013-5984
	NOT-FOR-US: Microweber
CVE-2013-5983
	NOT-FOR-US: GuppY
CVE-2013-5916
	NOT-FOR-US: WordPress plugin wp-e-commerce
CVE-2013-5749
	NOT-FOR-US: SimpleRisk
CVE-2013-5748
	NOT-FOR-US: SimpleRisk
CVE-2013-5743
	- zabbix 1:2.0.8+dfsg-2
CVE-2013-5680 [heap overflow]
	- hylafax <not-affected> (Not built with LDAP support)
CVE-2013-5661 [DNS response rate limiting can simplify cache poisoning attacks]
	NOTE: DNS protocol flaw
CVE-2013-5675
	NOT-FOR-US: Symantec Endpoint Protection
CVE-2013-5671 [Remote Command Injection]
	NOT-FOR-US: fog-dragonfly Ruby Gem
CVE-2013-5655
	NOT-FOR-US: YingZhi Python for iOS
CVE-2013-5654
	NOT-FOR-US: YingZhi Python for iOS
CVE-2013-5640
	NOT-FOR-US: Gnew
CVE-2013-5639
	NOT-FOR-US: Gnew
CVE-2013-5582
	NOT-FOR-US: Ammyy Admin
CVE-2013-5581
	NOT-FOR-US: Ammyy Admin
CVE-2013-5350
	NOT-FOR-US: OpenPNE
CVE-2013-5212
	NOT-FOR-US: easyXDM
CVE-2013-5123 [insecure mirroring]
	- python-pip 1.4.1-1 (unimportant)
CVE-2013-4985
	NOT-FOR-US: Vivotek IP Cameras
CVE-2013-4982
	NOT-FOR-US: AVTECH DVR
CVE-2013-4981
	NOT-FOR-US: AVTECH DVR
CVE-2013-4980
	NOT-FOR-US: AVTECH DVR
CVE-2013-4979 [Buffer Overflow]
	NOT-FOR-US: EPS Viewer
CVE-2013-4978 [Buffer Overflow]
	NOT-FOR-US: Aloaha PDF Suite
CVE-2013-4968
	- puppet <not-affected> (Only affects Puppet Enterprise)
CVE-2013-4772
	NOT-FOR-US: D-Link
CVE-2013-4752
	NOT-FOR-US: Symfony HttpFoundation component
CVE-2013-4751
	NOT-FOR-US: Symfony Validator component
CVE-2013-4739
	- linux <not-affected> (Android-specific camera drivers)
CVE-2013-4738
	- linux <not-affected> (Android-specific camera drivers)
CVE-2013-4730
	NOT-FOR-US: PCMan FTP Server
CVE-2013-4718 [XSS]
	NOT-FOR-US: OTRS ITSM	
CVE-2013-4717 [SQL injection]
	{DSA-2733-1}
CVE-2013-4593
	- ruby-omniauth-facebook <itp> (bug #705766)
CVE-2013-4584 [ssl_outgoing_ciphers not applied to STARTTLS connections]
	- perdition <unfixed> (low; bug #729028)
CVE-2013-4583
	- gitlab <itp> (bug #651606)
CVE-2013-4582 [Local file inclusion vulnerability]
	- gitlab <itp> (bug #651606)
CVE-2013-4581 [Remote code execution vulnerability via Git SSH access]
	- gitlab <itp> (bug #651606)
CVE-2013-4580 [Unauthenticated API access to GitLab when using MySQL]
	- gitlab <itp> (bug #651606)
CVE-2013-4577 [should set safer permissions even when hashed passwords are found]
	- grub2 2.00-20 (unimportant; bug #632598)
CVE-2013-4574
	- mediawiki <unfixed>
CVE-2013-4572
	- mediawiki 1:1.19.8+dfsg-2.2 (bug #729629)
CVE-2013-4571
	- mediawiki <unfixed>
CVE-2013-4570
	- mediawiki <unfixed>
CVE-2013-4565 [heap-based buffer overflow]
	- xlhtml <unfixed> (bug #729279)
CVE-2013-4562
	- ruby-omniauth-facebook <itp> (bug #705766)
CVE-2013-4561
	NOT-FOR-US: OpenShift
CVE-2013-4552
	NOT-FOR-US: drupalauth module for simpleSAMLphp
CVE-2013-4546 [remote command execution]
	- gitlab <itp> (bug #651606)
CVE-2013-4521
	NOT-FOR-US: Nuxeo
CVE-2013-4504
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4503
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4502
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4501
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4500
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4499
	NOT-FOR-US: Drupal contrib module 
CVE-2013-4498
	NOT-FOR-US: Drupal contrib module
CVE-2013-4490 [Remote code execution vulnerability in the SSH key upload feature]
	- gitlab <itp> (bug #651606)
CVE-2013-4489 [Remote code execution vulnerability in the code search feature]
	- gitlab <itp> (bug #651606)
CVE-2013-4488
	- libgadu <unfixed> (unimportant)
CVE-2013-4472 [Race condition on temporary file]
	- poppler <unfixed> (unimportant)
CVE-2013-4471 [password reset vulnerability]
	- horizon 2013.2-1
CVE-2013-4468
	NOT-FOR-US: VICIDIAL
CVE-2013-4467
	NOT-FOR-US: VICIDIAL
CVE-2013-4463 [Compressed disk image DoS]
	- nova 2013.2-3 (bug #728605)
CVE-2013-4462
	NOT-FOR-US: WordPress plugin
CVE-2013-4455
	NOT-FOR-US: Katello
CVE-2013-4454
	NOT-FOR-US: WordPress plugin
CVE-2013-4451 [world writable files]
	- gitolite <not-affected> (vulnerable code introduced for v3.5.3)
CVE-2013-4449 [slapd segfaults on certain queries with rwm overlay enabled]
	- openldap <unfixed> (low; bug #729367)
CVE-2013-4442 [Silent fallback to insecure entropy]
	- pwgen <unfixed> (unimportant; bug #726578)
CVE-2013-4441 [Phonemes mode has heavy bias and is enabled by default]
	- pwgen <unfixed> (unimportant; bug #726578)
CVE-2013-4440 [non-tty passwords are trivially weak by default]
	- pwgen <unfixed> (unimportant; bug #726578)
CVE-2013-4433 [xhprof: unspecified XSS]
	- xhprof 0.9.4-1 (bug #726284)
CVE-2013-4432 [a group member with no access rights to folder can still view it]
	- mahara <removed> (low; bug #727539)
CVE-2013-4431 [Not checking ownership of blocks before editing them]
	- mahara <removed> (low; bug #727552)
CVE-2013-4430
	- mahara <removed> (unimportant; bug #727548)
CVE-2013-4429 [Arbitrary image download]
	- mahara <removed> (low; bug #727545)
CVE-2013-4427 [pyxtrlock Incorrect return value checking]
	NOT-FOR-US: pyxtrlock
CVE-2013-4426 [pyxtrlock mis-spelled variable name]
	NOT-FOR-US: pyxtrlock
CVE-2013-4420 [tar_extract_glob and tar_extract_all path prefix directory traversal]
	- libtar <unfixed> (bug #731860)
CVE-2013-4413 [arbitrary files read]
	NOT-FOR-US: Wicked Ruby Gem
CVE-2013-4412 [NULL ptr dereference]
	- slim <unfixed> (bug #725902)
CVE-2013-4411
	- reviewboard <itp> (bug #653113)
CVE-2013-4410
	- reviewboard <itp> (bug #653113)
CVE-2013-4409 [unsanitized eval() vulnerability]
	- djblets <removed> (low; bug #726039)
CVE-2013-4406
	NOT-FOR-US: Quick Tabs Drupal contributed module
CVE-2013-4399 [unprivileged user can crash libvirtd when ACLs are enabled]
	- libvirt 1.1.4-1
CVE-2013-4395
	NOT-FOR-US: Simple Machines Forum
CVE-2013-4383
	NOT-FOR-US: Drupal module
CVE-2013-4380
	NOT-FOR-US: Drupal module
CVE-2013-4367
	NOT-FOR-US: ovirt
CVE-2013-4357 [getaddrinfo() stack overflow]
	- eglibc <unfixed>
CVE-2013-4347 [Uses poor PRNG]
	- python-oauth2 <unfixed> (low; bug #722657)
CVE-2013-4346 [_check_signature() ignores the nonce value when validating signed urls]
	- python-oauth2 <unfixed> (low; bug #722656)
CVE-2013-4337
	NOT-FOR-US: Drupal module
CVE-2013-4336
	NOT-FOR-US: Drupal module
CVE-2013-4335
	NOT-FOR-US: opOpenSocialPlugin
CVE-2013-4334
	NOT-FOR-US: opWebAPIPlugin
CVE-2013-4333
	NOT-FOR-US: OpenPNE
CVE-2013-4331 [incorrect .Xauthority permissions]
	- lightdm 1.6.2-1 (bug #721744)
CVE-2013-4321 [TYPO3 File Abstraction Layer: Remote Code Execution]
	- typo3-src <not-affected> (All versions from 6.0.0 up to the development branch of 6.2)
CVE-2013-4320 [TYPO3 Core: Cross-Site Scripting, Remote Code Execution]
	- typo3-src <not-affected> (All versions from 6.0.0 up to the development branch of 6.2)
CVE-2013-4318
	NOT-FOR-US: Ruby gem Features
CVE-2013-4304 [mediawiki CentralAuth auth bypass]
	NOT-FOR-US: Mediawiki CentralAuth extension
CVE-2013-4303 [mediawiki XSS with IE6]
	- mediawiki 1:1.19.8+dfsg-1 (unimportant)
CVE-2013-4290 [stack-based buffer overflows]
	- openjpeg <unfixed> (bug #722540)
CVE-2013-4289 [heap-based buffer overflows]
	- openjpeg <unfixed> (bug #722540)
CVE-2013-4279
	- imapsync <removed>
CVE-2013-4275
	NOT-FOR-US: Drupal contributed module Zen
CVE-2013-4273
	NOT-FOR-US: Drupal contributed module Entity API
CVE-2013-4269
	- ajaxplorer <itp> (bug #668381)
CVE-2013-4268
	- ajaxplorer <itp> (bug #668381)
CVE-2013-4267
	- ajaxplorer <itp> (bug #668381)
CVE-2013-4262 [svnwcsub.py and irkerbridge.py are vulnerable to symlink attack]
	- subversion <not-affected> (Optional admin-side utilities in Subversion 1.8.x)
CVE-2013-4251 [weave /tmp and current directory issues]
	- python-scipy 0.12.0-3 (bug #726093)
CVE-2013-4250 [Vulnerable subcomponent: Backend File Upload / File Abstraction Layer]
	- typo3-src <not-affected> (All versions from 6.0.0 up to the development branch of 6.2)
CVE-2013-4246 [FSFS repository corruption due to editing packed revision properties]
	- subversion <not-affected> (only affects 1.8.0 and 1.8.1)
CVE-2013-4241
	NOT-FOR-US: WordPress plugin HMS Testimonials
CVE-2013-4240
	NOT-FOR-US: WordPress plugin HMS Testimonials
CVE-2013-4228
	NOT-FOR-US: Organic Group Drupal contributed module
CVE-2013-4227
	NOT-FOR-US: Persona Drupal contributed module
CVE-2013-4226
	NOT-FOR-US: Authenticated User Page Caching Drupal contributed module
CVE-2013-4225
	NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module
CVE-2013-4224
	NOTE: Dublicate of CVE-2013-4187, thus rejected
CVE-2013-4223 [nullmailer world readable /etc/nullmailer/remotes]
	- nullmailer 1:1.11-2 (low; bug #684619)
CVE-2013-4215 [IPXPING_COMMAND uses fixed location in /tmp]
	- nagios-plugins <unfixed> (unimportant)
CVE-2013-4211
	NOT-FOR-US: OpenX
CVE-2013-4209 [ABRT: (substantially) limited leak of unauthorized information]
	NOT-FOR-US: NOT-FOR-US: abrt is Red Hat / Fedora specific
CVE-2013-4201 [Katello: CLI - user without access can call "system remove_deletion" command]
	NOT-FOR-US: Katello
CVE-2013-4199 [plone: DoS by decompressing large zip archives (cb_decode.py, linkintegrity.py)]
	NOT-FOR-US: Plone
CVE-2013-4198 [plone: Authenticated users able to alter their password despite of policy definition / setting prohibiting it (mail_password.py)]
	NOT-FOR-US: Plone
CVE-2013-4197 [plone: Authenticated users able to modify / delete portraits of other users (member_portrait.py)]
	NOT-FOR-US: Plone
CVE-2013-4196 [plone: Multiple information exposure flaws via certain object methods (objectmanager.py)]
	NOT-FOR-US: Plone
CVE-2013-4195 [plone: Open redirect in the HTTP server implementation (marmoset_patch.py, publish.py, principiaredirect.py)]
	NOT-FOR-US: Plone
CVE-2013-4194 [plone: File system path exposure (wysiwyg.py)]
	NOT-FOR-US: Plone
CVE-2013-4193 [plone: Anonymous users capable to hide certain fields from content edit forms (typeswidget.py)]
	NOT-FOR-US: Plone
CVE-2013-4192 [plone: Ability to spoof emails (sendto.py)]
	NOT-FOR-US: Plone
CVE-2013-4191 [plone: Information exposure due improper access control enforcement when generating zip archives (zip.py)]
	NOT-FOR-US: Plone
CVE-2013-4190 [plone: Multiple cross-site scripting (XSS) flaws (spamProtect.py, pts.py, request.py)]
	NOT-FOR-US: Plone
CVE-2013-4189 [plone: Privilege escalation due improper authorization (dataitems.py, get.py, traverseName.py)]
	NOT-FOR-US: Plone
CVE-2013-4188 [plone: DoS (infinite loop) by administrator privilege users when retrieving information for certain resources (traverser.py)]
	NOT-FOR-US: Plone
CVE-2013-4187 [Access Bypass]
	NOT-FOR-US: Flippy Contributed Drupal module
CVE-2013-4184 [symlink attacks]
	- libdata-uuid-perl <unfixed> (low; bug #718949)
CVE-2013-4178
	NOT-FOR-US: GA Login Drupal contributed module
CVE-2013-4177
	NOT-FOR-US: GA Login Drupal contributed module
CVE-2013-4176 [information disclosure]
	NOT-FOR-US: MySecureShell
CVE-2013-4175 [local denial of service]
	NOT-FOR-US: MySecureShell
CVE-2013-4168 [start and end time fields not filtered]
	- smokeping 2.6.8-2
CVE-2013-4166 [problem in GPG key selection when encrypting mail]
	- evolution <unfixed> (unimportant)
CVE-2013-4161
	- gksu-polkit <not-affected> (CVE for improperly applied fix for CVE-2012-5617 on Red Hat)
CVE-2013-4158
	- smokeping <not-affected> (fix for CVE-2012-0790/DSA-2651-1 uses regexp from 2.6.9 upstream release)
CVE-2013-4152 [XML External Entity (XXE) injection flaw]
	{DSA-2842-1}
CVE-2013-4143
	NOT-FOR-US: xlockmore
CVE-2013-4133 [memory leak]
	- kde-workspace 4:4.10.5-3 (unimportant; bug #717180)
CVE-2013-4119
	- freerdp <not-affected> (The server part is not build)
CVE-2013-4118
	- freerdp <not-affected> (The server part is not build)
CVE-2013-4116 [npm: predictable temporary filenames when unpacking tarballs]
	- npm 1.3.10~dfsg-1 (bug #715325)
CVE-2013-4110
	NOT-FOR-US: Cryptocat
CVE-2013-4109
	NOT-FOR-US: Cryptocat
CVE-2013-4108
	NOT-FOR-US: Cryptocat
CVE-2013-4107
	NOT-FOR-US: Cryptocat
CVE-2013-4106
	NOT-FOR-US: Cryptocat
CVE-2013-4105
	NOT-FOR-US: Cryptocat
CVE-2013-4104
	NOT-FOR-US: Cryptocat
CVE-2013-4103
	NOT-FOR-US: Cryptocat
CVE-2013-4102
	NOT-FOR-US: Cryptocat
CVE-2013-4101
	NOT-FOR-US: Cryptocat
CVE-2013-4100
	NOT-FOR-US: Cryptocat
CVE-2013-4088 [Information Disclosure]
	{DSA-2712-1}
CVE-2013-3843
	- monkey <removed>
CVE-2013-3734 [Datasource password visible to administrator]
	NOT-FOR-US: Embedded Jopr
CVE-2013-3729
	NOT-FOR-US: Kasseler CMS
CVE-2013-3728
	NOT-FOR-US: Kasseler CMS
CVE-2013-3727
	NOT-FOR-US: Kasseler CMS
CVE-2013-3718 [evince missing check on number of pages]
	- evince 3.10.0-1
CVE-2013-3703
	NOT-FOR-US: Open Build Service
CVE-2013-3685
	NOT-FOR-US: Sprite Software's backup softare for Android
CVE-2013-3587 [BREACH attack against HTTP compression]
	TODO: check
CVE-2013-3571 [FD leak]
	- socat 1.7.1.3-1.5 (low; bug #709931)
CVE-2013-3565 [XSS in HTTP Interface]
	- vlc 2.0.7-1 (unimportant)
CVE-2013-3551
	{DSA-2696-1}
CVE-2013-3514
	NOT-FOR-US: OpenX
CVE-2013-2764
	NOT-FOR-US: Secure Entry Server
CVE-2013-2758
	NOT-FOR-US: CloudStack
CVE-2013-2756
	NOT-FOR-US: CloudStack
CVE-2013-2745 [SQL Injection]
	- minidlna <unfixed> (low; bug #717131)
CVE-2013-2739 [heap-based buffer overflow]
	- minidlna <unfixed> (low; bug #717131)
CVE-2013-2738 [SQL Injection]
	- minidlna <unfixed> (low; bug #717131)
CVE-2013-2625
	- otrs2 3.1.7+dfsg1-8
CVE-2013-2623
	NOT-FOR-US: Uebimiau Webmail
CVE-2013-2622
	NOT-FOR-US: Uebimiau Webmail
CVE-2013-2621
	NOT-FOR-US: Uebimiau Webmail
CVE-2013-2600 [MiniUPnPd information disclosure]
	- miniupnpd 1.8.20130730-1 (bug #716936)
CVE-2013-2595
	NOT-FOR-US: Qualcomm MSM Camera driver
CVE-2013-2574
	NOT-FOR-US: Foscam
CVE-2013-2565
	NOT-FOR-US: Mambo CMS
CVE-2013-2564
	NOT-FOR-US: Mambo CMS
CVE-2013-2563
	NOT-FOR-US: Mambo CMS
CVE-2013-2562
	NOT-FOR-US: Mambo CMS
CVE-2013-2298
	- boinc 7.0.65+dfsg-1 (low)
CVE-2013-2294
	NOT-FOR-US: ViewGit
CVE-2013-2262
	NOT-FOR-US: Cryptocat
CVE-2013-2261
	NOT-FOR-US: Cryptocat
CVE-2013-2260
	NOT-FOR-US: Cryptocat
CVE-2013-2259
	NOT-FOR-US: Cryptocat
CVE-2013-2258
	NOT-FOR-US: Cryptocat
CVE-2013-2257
	NOT-FOR-US: Cryptocat
CVE-2013-2255 [Inconsistent and non-validating HTTPS client]
	- cinder <unfixed>
CVE-2013-2233 [not caching SSH host keys]
	- ansible 1.3.4+dfsg-1 (bug #714822)
CVE-2013-2228 [RSA exponent of 1]
	- salt 0.15.1-1
CVE-2013-2227 [local file inclusion]
	- glpi 0.83.91-1 (bug #714720; unimportant)
CVE-2013-2226 [Multiple SQL injections]
	- glpi 0.83.91-1 (bug #714720; unimportant)
CVE-2013-2225
	- glpi 0.83.91-1 (bug #714720; unimportant)
CVE-2013-2214 [nagios3: information leak]
	- nagios3 3.4.1-4 (low)
CVE-2013-2213 [KRandom::random() Small Space of Random Values]
	- kdeplasma-addons <not-affected> (only affects if incomplete patch for CVE-2013-2120 is applied)
CVE-2013-2198
	NOT-FOR-US: Login Security Drupal contributed module
CVE-2013-2193 [Apache HBase Man in the Middle Vulnerability]
	NOT-FOR-US: Apache HBase
CVE-2013-2192 [Apache Hadoop Man in the Middle Vulnerability]
	NOT-FOR-US: Apache Hadoop
CVE-2013-2191
	NOT-FOR-US: python-bugzilla
CVE-2013-2184 [unsafe use of Storable::thaw]
	- movabletype-opensource 5.2.7+dfsg-1 (bug #712602)
CVE-2013-2183
	- monkey <removed> (low)
CVE-2013-2182 [monkey security rules bypass]
	- monkey <removed> (low)
CVE-2013-2180
	NOT-FOR-US: uk-cookie Wordpress plugin, not in Debian
CVE-2013-2167 [middleware memcache signing bypass]
	- python-keystoneclient 1:0.2.5-2 (bug #713819)
CVE-2013-2166 [middleware memcache encryption bypass]
	- python-keystoneclient 1:0.2.5-2 (bug #713819)
CVE-2013-2163 [monkey denial of service]
	- monkey <removed> (low)
CVE-2013-2159 [monkey broken authentication]
	- monkey <removed>
CVE-2013-2150 [XSS vulnerability in js/viewer.js]
	- owncloud <not-affected> (affects only experimental version)
CVE-2013-2149 [XSS vulnerability in core/js/oc-dialogs.js]
	- owncloud 4.0.16debian-1 (bug #711517)
CVE-2013-2131 [format string vulnerability]
	- rrdtool <unfixed> (unimportant; bug #708866)
CVE-2013-2130 [null pointer dereference in webadmin]
	- znc 1.0-5 (bug #720632)
CVE-2013-2125 [DoS in TLS Support]
	- opensmtpd 5.3.3p1-1
CVE-2013-2124 [libguestfs: DoS due to a double-free when inspecting certain guest files]
	- libguestfs 1:1.20.8-1 (bug #710290)
CVE-2013-2120 [weak generated passwords]
	- kdeplasma-addons <unfixed> (low; bug #710497)
CVE-2013-2111 [DoS (daemon hang) when parsing invalid IMAP APPEND command parameters]
	- dovecot <not-affected> (vulnerable code appeared in 2.2)
CVE-2013-2109
	NOT-FOR-US: WordPress plugin wp-cleanfix
CVE-2013-2108
	NOT-FOR-US: WordPress plugin wp-cleanfix
CVE-2013-2107
	NOT-FOR-US: WordPress plugin mail-on-update
CVE-2013-2106 [Authentication credential disclosure]
	- webauth <not-affected> (vulnerable code only in 4.4.1 up to 4.5.2)
CVE-2013-2105
	NOT-FOR-US: Show In Browser Ruby Gem
CVE-2013-2100
	NOT-FOR-US: Gentoo Portage binary package installer
CVE-2013-2097 [zPanel themes remote command execution as root]
	NOT-FOR-US: zPanel
CVE-2013-2093
	- dolibarr 3.3.4-1 (high)
CVE-2013-2092
	- dolibarr 3.3.4-1
CVE-2013-2091
	- dolibarr 3.3.4-1
CVE-2013-2090 [Remote command Injection]
	NOT-FOR-US:  Creme Fraiche Ruby Gem
CVE-2013-2089 [owncloud: oC-SA-2013-026]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2087 [gallery: multiple xss]	
	- gallery <not-affected> (Vulnerable code not present)
CVE-2013-2086 [owncloud: oC-SA-2013-027]
	- owncloud <not-affected> (Only owncloud 5.0.x)
CVE-2013-2085 [owncloud: oC-SA-2013-020]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2075
	- chicken <not-affected> (Incomplete fix was never applied)
CVE-2013-2074 [prints passwords contained in HTTP URLs in error messages]
	- kde4libs 4:4.10.5-1 (low; bug #707776)
CVE-2013-2073 [Does not validate HTTPS server certificate]
	- transifex-client 0.9-1 (low)
CVE-2013-2060
	NOT-FOR-US: OpenShift
CVE-2013-2057
	NOT-FOR-US: YaBB
CVE-2013-2049
	NOT-FOR-US: CloudForms Management Engine
CVE-2013-2048 [owncloud: oC-SA-2013-025]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2047 [owncloud: oC-SA-2013-023]
	- owncloud <not-affected> (Only 5.0.x)
CVE-2013-2046 [owncloud: oC-SA-2013-019]
	- owncloud <not-affected> (Only affects 4.5.x)
CVE-2013-2045 [owncloud: oC-SA-2013-019]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2044 [owncloud: oC-SA-2013-022]
	- owncloud <not-affected> (Only 5.0.x)
CVE-2013-2043 [owncloud: oC-SA-2013-024]
	- owncloud <not-affected> (Only 5.0.x and 4.5.x)
CVE-2013-2042 [owncloud: oC-SA-2013-021]
	- owncloud 4.0.15debian-1
CVE-2013-2041 [owncloud: oC-SA-2013-021]
	- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2040 [owncloud: oC-SA-2013-021]
	- owncloud 4.0.15debian-1
CVE-2013-2039 [owncloud: oC-SA-2013-020]
	- owncloud 4.0.15debian-1
CVE-2013-2038 [DoS (packet parser crash) in the AIS driver when processing malformed packet]
	- gpsd 3.6-5 (bug #706665)
CVE-2013-2034 [jenkins CSRF]
	- jenkins 1.509.2+dfsg-1 (bug #706725)
CVE-2013-2033 [jenkins XSS]
	- jenkins 1.509.2+dfsg-1 (bug #706725)
CVE-2013-2025
	NOT-FOR-US: Ushahidi
CVE-2013-2024 [OS command injection vulnerability in Chicken Scheme]
	- chicken 4.8.0.3-1 (bug #706525)
CVE-2013-2019 [stack overflow vulnerabilities in the XML parser]
	- boinc 6.13.6+dfsg-1 (low)
CVE-2013-2018 [SQL injections in the server-side scheduler code]
	- boinc 7.0.65+dfsg-1 (low)
CVE-2013-2016 [qemu: virtio: out-of-bounds config space access]
	- qemu 1.5.0+dfsg-1 (bug #710822)
CVE-2013-2014 [no limitation for requests and headers size which can cause a crash]
	- keystone 2013.1.1-2 (bug #708515)
CVE-2013-2012 [autojump profile will load random stuff from a directory called custom_install]
	- autojump <not-affected> (vulnerable code not present for unstable)
CVE-2013-2011
	NOT-FOR-US: WP Super Cache
CVE-2013-2010
	NOT-FOR-US: W3 Total Cache
CVE-2013-2009
	NOT-FOR-US: WP Super Cache
CVE-2013-2008
	NOT-FOR-US: WP Super Cache
CVE-2013-1980
	- xmp 3.4.0-3 (low; bug #706667)
CVE-2013-1973
	NOT-FOR-US: Drupal contributed module
CVE-2013-1967 [mediaelement flashmediaelement XSS]
	- owncloud <not-affected> (Vulnerable code not present)
CVE-2013-1963
	- owncloud <not-affected> (Vulnerable code not present)
CVE-2013-1951
	- mediawiki 1:1.19.5-1
CVE-2013-1946
	NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module
CVE-2013-1941 [Postgre: Insecure database password generator]
	- owncloud 5.0.4~rc1+dfsg-1
CVE-2013-1939 [Windows: Local file disclosure]
	- owncloud <not-affected> (Windows version only)
CVE-2013-1938
	NOT-FOR-US: Zimbra
CVE-2013-1934 [mantis: XSS issue in adm_config_report.php when displaying complex value]
	- mantis <removed> (low; bug #717482)
CVE-2013-1932 [mantis: XSS vulnerability on Configuration Report page]
	- mantis <not-affected> (affects Mantis 1.2.13 only)
CVE-2013-1931 [mantis: XSS vulnerability when deleting a version]
	- mantis <not-affected> (affects Mantis 1.2.14 only)
CVE-2013-1930 [mantis: Close button available to users despite workflow restrictions]
	- mantis <not-affected> (affects only Mantis 1.2.12 and later)
CVE-2013-1924
	NOT-FOR-US: Commerce Skrill Drupal module
CVE-2013-1916
	NOT-FOR-US: WordPress plugin
CVE-2013-1910 [Not removing bad metadata and using it in next run]
	- yum <unfixed> (unimportant)
CVE-2013-1904 [roundcube variable overwrite]
	- roundcube 0.7.2-9
CVE-2013-1895 [concurrency issue leading to auth bypass]
	- python-bcrypt <removed> (bug #704030)
CVE-2013-1893
	- owncloud <not-affected> (only affecting 5.0 branch)
CVE-2013-1890
	- owncloud <not-affected> (only affecting 5.0 branch)
CVE-2013-1889
	- libapache2-mod-ruid2 0.9.8-1 (low; bug #704066)
CVE-2013-1886
	NOT-FOR-US: Red Hat Certificate System
CVE-2013-1885
	NOT-FOR-US: Red Hat Certificate System
CVE-2013-1883 [mantis: remote DoS]
	- mantis <not-affected> (only affects 1.2.12 to 1.2.14)
CVE-2013-1880 [XSS vulnerability in portfolioPublish demo application]
	- activemq <not-affected> (portfolio demo app not shipped in Debian package)
CVE-2013-1874 [Chicken Scheme: code execution]
	- chicken 4.8.0.3-1 (low; bug #702410)
CVE-2013-1864 [Ekiga billion laughs flaw in ptlib]
	NOTE: http://www.openwall.com/lists/oss-security/2013/03/15/6
CVE-2013-1853 [Almanah doesn't encrypt the database]
	- almanah 0.9.1-1 (bug #702905)
CVE-2013-1851 [user_migrate: Local file disclosure]
	- owncloud 4.0.8debian-1.6 (bug #703094)
CVE-2013-1850 [Contacts: Bypass of file blacklist]
	- owncloud 4.0.8debian-1.6 (bug #703094)
CVE-2013-1841 [Reverse lookup issue in Net::Server]
	- libnet-server-perl <unfixed> (low; bug #702914)
CVE-2013-1822
	- owncloud <not-affected> (owncloud stable4 (4.0.x) is not affected) 
CVE-2013-1820
	NOT-FOR-US: tuned (RH-specific powersaving tool)
CVE-2013-1818 [mediawiki mwdoc-filter.php information disclosure]
	- mediawiki <not-affected> (mwdoc-filter.php introduced in 1.20)
CVE-2013-1817 [mediawiki information disclosure in unblock API]
	- mediawiki 1:1.19.4-1 (bug #702305)
CVE-2013-1816 [mediawiki insecure curl usage]
	- mediawiki 1:1.19.4-1
CVE-2013-1811 [Reporter can change issue status to 'new']
	- mantis <removed> (low; bug #698481)
CVE-2013-1810 [summary.php category/project names XSS vulnerability]
	- mantis <not-affected> (only affects MantisBT 1.2.12)
CVE-2013-1809 [Gambas creates hijackable directory in /tmp]
	- gambas3 3.5.1-1 (low; bug #702184)
CVE-2013-1771 [monkey: world-readable logdir]
	- monkey <removed> (low)
CVE-2013-1770 [XSS issues in views_view.php]
	- ganglia <unfixed> (low; bug #700158)
CVE-2013-1764
	- packagekit <not-affected> (Zypp backend specific to SuSE)
CVE-2013-1753
	- python2.5 <removed> (low)
CVE-2013-1752
	- python2.5 <removed> (low)
CVE-2013-1751
	- twiki <removed>
CVE-2013-1689
	[wheezy] - iceape <end-of-life>
CVE-2013-1666
	- foswiki <itp> (bug #509864)
CVE-2013-1470 [XSS in geeklog]
	NOTE: There was a RFP long time ago, bug #203818
CVE-2013-1437 [Code execution when gathering version metadata]
	- perl 5.18.1-2
CVE-2013-1436 [code injection]
	- xmonad-contrib 0.11.2-1 (low)
CVE-2013-1429 [Lintian unsafe symlinks]
	- lintian 2.5.10.5 (bug #705553; unimportant)
CVE-2013-1426 [mahara: stored XSS in tinyMCE editor]
	- mahara <removed>
CVE-2013-1425 [ldap-git-backup: Incorrect directory permissions exposes password hashes]
	- ldap-git-backup 1.0.4-1 (bug #699227)
CVE-2013-0243 [Basic constraints vulnerability]
	- haskell-tls-extra 0.4.6.1-1 (bug #698545)
CVE-2013-1376
	NOT-FOR-US: Adobe Reader
CVE-2013-0870 [libavcodec/vp3.c: 14c8ee00ffd9d45e6e0c6f11a957ce7e56f7eb3a]
	- ffmpeg <not-affected> (No threading support in vp3 from ffmpeg 0.5)
CVE-2013-0350 [writes content from TCP streams to public readable file /tmp/smtp.log]
	- pktstat 1.8.5-3 (bug #701211)
CVE-2013-0347 [webfs world-readable logdir]
	- webfs 1.21+ds1-9 (low; bug #701638)
CVE-2013-0346 [tomcat world-readable logdir]
	- tomcat6 <not-affected> (Log files are owned by tomcat:tomcat)
CVE-2013-0345 [varnish world-readable logdir]
	- varnish <not-affected> (Logfiles are owned by varnishlog:varnishlog)
CVE-2013-0342 [CreateID() creates serialized packet IDs for RADIUS]
	- pyrad <unfixed> (low; bug #701151)
CVE-2013-0336 [DoS when connecting with a missing username/dn]
	- 389-ds-base <unfixed> (bug #704077)
CVE-2013-0326
	- nova <unfixed> (low)
CVE-2013-0307 [XSS vulnerability]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0303 [Multiple code executions]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0301 [Multiple CSRF vulnerabilities]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0300 [Multiple CSRF vulnerabilities]
	- owncloud <not-affected> (Vulnerably code not present, only affects 4.5 branch)
CVE-2013-0299 [Multiple CSRF vulnerabilities]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0298 [XSS vulnerability]
	- owncloud <not-affected> (Vulnerably code not present, only affects 4.5 branch)
CVE-2013-0297 [XSS vulnerability]
	- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0296 [creates temp files with too wide permissions]
	- pigz 2.2.4-2 (low; bug #700608)
CVE-2013-0294 [potentially predictable password hashing]
	- pyrad 2.0-2 (low; bug #700669)
CVE-2013-0293 [Lock screen accepts F2 to drop to shell]
	- ovirt-node <itp> (bug #502024)
CVE-2013-0289 [missing SSL subject verification]
	- isync 1.0.4-2.2 (low; bug #701052)
CVE-2013-0267
	NOT-FOR-US: Apache VCL
CVE-2013-0264
	NOT-FOR-US: Cumin
CVE-2013-0250 [corosync: Remote DoS due improper HMAC initialization]
	- corosync <not-affected> (Introduced in v1.99.8-2-ge925f42; bug #699615)
CVE-2013-0234
	- elgg <itp> (bug #526197)
CVE-2013-0204 [Code execution in external storage]
	- owncloud <not-affected> (Vulnerably code not present, only affects 4.5 branch)
CVE-2013-0203 [XSS vulnerabilities]
	- owncloud 4.0.8debian-1.4 (bug #698737)
CVE-2013-0202 [XSS vulnerabilities]
	- owncloud 4.0.8debian-1.4 (bug #698737)
CVE-2013-0201 [XSS vulnerabilities]
	- owncloud 4.0.8debian-1.4 (bug #698737)
CVE-2013-0199
	NOT-FOR-US: FreeIPA
CVE-2013-0197 [XSS vulnerability with match_type filter]
	- mantis <not-affected> (This only affects the 1.2.12 version, which isn't present in Debian, bug #698481)
CVE-2013-0195 [Unspecified XSS]
	- piwik <itp> (bug #506933)
CVE-2013-0194 [Unspecified XSS]
	- piwik <itp> (bug #506933)
CVE-2013-0193 [Unspecified XSS]
	- piwik <itp> (bug #506933)
CVE-2013-0192
	NOT-FOR-US: Simple Machines Forum
CVE-2013-0191 [pam-pgsql NULL password handling issue]
	- pam-pgsql 0.7.3.1-4 (bug #698241)
CVE-2013-0185
	NOT-FOR-US: ManageIQ EVM (CloudForms)
CVE-2013-0178 [redis 2.4: Insecure temporary flaw use for redis service's vm swap file]
	- redis 2:2.6.0-1 (low)
CVE-2013-0177
	NOT-FOR-US: OFBiz
CVE-2013-0161
	NOT-FOR-US: Havalite CMS
CVE-2013-0159
	NOT-FOR-US: Fedora build script

From geissert at debian.org  Wed Feb 12 08:18:17 2014
From: geissert at debian.org (Raphael Geissert)
Date: Wed, 12 Feb 2014 15:18:17 +0100
Subject: [VIM] Old CVE ids, public, but still "RESERVED"
In-Reply-To: <201402081217.32134.geissert@debian.org>
References: <201402081217.32134.geissert@debian.org>
Message-ID: <CAA7hUgGMPhS6TocZD6Mrte3OUm20do5k1HzXzA=Z-NFDRoYiZQ@mail.gmail.com>

Hi again,

It appears that some of the issues in the lists I previously sent have
been processed lately, so I figured I could provide the list of issues
with a year between 2001 and 2010.

This batch contains the ids followed by any information that can be
found in our text database.

HTH.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
-------------- next part --------------
CVE-2001-1593 [insecure use of /tmp]
	- a2ps <unfixed> (low; bug #737385)
	[wheezy] - a2ps <no-dsa> (Minor issue)
	[squeeze] - a2ps <no-dsa> (Minor issue)
CVE-2004-2776
	NOT-FOR-US: Montitorix
CVE-2002-2439
	- gcc-4.1 <removed>
	[squeeze] - gcc-4.1 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
	- gcc-4.3 <removed>
	[squeeze] - gcc-4.3 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
	- gcc-4.4 <unfixed> (low)
	[squeeze] - gcc-4.4 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
	[wheezy] - gcc-4.4 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
	- gcc-4.6 <unfixed> (low)
	[wheezy] - gcc-4.6 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
	- gcc-4.7 <unfixed> (low; bug #710830)
	[wheezy] - gcc-4.7 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
	- gcc-4.8 4.8.0-1 (low)
	NOTE: Are there apps known to be exploitable through this?
	NOTE: Any application using unguarded memory allocation would be susceptible to DoS anyway?
	NOTE: This should be addressed in jessie by getting this fixed in gcc 4.7, so that the archive is
	NOTE: properly rebuild with a fixed version from the start
	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2002-2439
CVE-2002-2438
	NOT-FOR-US: ancient linux 2.4 issue
CVE-2006-7246
	- wpasupplicant 0.7.3-1
	[squeeze] - wpasupplicant <no-dsa> (Minor issue)
	- network-manager 0.9.4.0-1
	[squeeze] - network-manager <no-dsa> (Minor issue)
	NOTE: might be fixed earlier; I checked the source versions in Wheezy
CVE-2005-4890 [login: tty hijacking possible in "su" via TIOCSTI ioctl]
	- shadow 1:4.1.5-1 (low; bug #628843)
	[squeeze] - shadow <no-dsa> (Minor issue)
	[lenny] - shadow <no-dsa> (Minor issue)
	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=173008
	- sudo 1.7.4p4 (low; bug #657784)
	NOTE: sudo might be fixed earlier, use_pty present in stable
CVE-2006-4245
	- archivemail 0.6.2-2
CVE-2006-4243 [linux vserver priviledge escalation in remount code]
	- linux-2.6 2.6.17-9
CVE-2006-3100 [termnetd buffer overflow]
	- termpkg 3.3-7 (bug #358028; medium)
CVE-2006-0062 [Potential xlockmore bypass]
	- xlockmore 1:5.13-2.1 (bug #309760)
CVE-2006-0061 [xlock segfaults when using libpam-opensc]
	- xlockmore 1:5.22-1.2 (bug #318123; bug #399003; low)
	[sarge] - xlockmore <no-dsa> (Minor issue)
CVE-2005-3056 [TWiki INCLUDE function allows arbitrary shell command execution ]
	- twiki 20040902-2 (bug #330733; high)
CVE-2005-2349 [Directory traversal in zoo]
	- zoo 2.10-4 (low; bug #309594)
CVE-2005-2350 [Cross Site Scripting in websieve]
	- websieve <removed> (bug #311838; low)
CVE-2005-2351 [Minor DoS condition in mutt due to preditable tempfiles]
	- mutt 1.5.20-7 (bug #311296; unimportant)
	[sarge] - mutt <no-dsa> (Minor annoyance, not a real DoS)
	NOTE: An "attacker" could achieve the same by simply filling up /tmp
CVE-2005-2352 [Temp file races in gs-gpl addons scripts]
	- gs-gpl 8.56.dfsg.1-1 (bug #291373; unimportant)
CVE-2005-2354 [nvu uses old copy of mozilla xpcom]
	NOTE: have not checked to see which security holes are in it exactly
	- nvu <removed> (bug #306822; medium)
CVE-2005-2356
	NOTE: This was assigned to an eskuel non-issue before due to Red Hat typos
-------------- next part --------------
CVE-2007-6745 [clamav floating point exception in OLE2 scanner DoS]
	- clamav 0.91.2-1~volatile1
	[etch] - clamav <not-affected> (Vulnerable code not present)
	[sarge] - clamav <not-affected> (Vulnerable code not present)
CVE-2007-5743
	- viewvc 1.0.3-2.1 (bug #416696)
CVE-2007-3915 [mondo insecure handling of temporary files]
	- mondo 2.24-2 (low)
CVE-2007-2841 [lighttpd DoS]
	- lighttpd 1.4.16-1 (bug #428368)
	NOTE: Duplicate of CVE-2007-3947, was assigned from Debian CNA and clashed with MITRE
	NOTE: assignment
CVE-2007-0899 [Possible heap overflow in libclamav/fsg.c]
	{DSA-1263-1}
	- clamav 0.90-1
	[etch] - clamav	0.88.7-2
CVE-2007-0241
	- linux-2.6 2.6.18.dfsg.1-12
-------------- next part --------------
CVE-2008-7291 [gri: insecure temp file generation]
	- gri 2.12.18-1 (low)
	[etch] - gri <no-dsa> (Minor issue)
	[lenny] - gri <no-dsa> (Minor issue)
CVE-2008-7272 [iceweasel-firegpg: Passphrase and Cleartext Recovery]
	- iceweasel-firegpg <removed> (bug #514386)
CVE-2008-7273 [iceweasel-firegpg: Passphrase and Cleartext Recovery]
	- iceweasel-firegpg <removed> (bug #514386)
CVE-2008-3793
	NOT-FOR-US: Adobe Flash
CVE-2008-3277
	- ibutils <not-affected> (RedHat-specific)
-------------- next part --------------
CVE-2009-5068
	NOT-FOR-US: Simple Machines Forum
CVE-2009-5025 [PyForum XSS+CSRF]
	NOT-FOR-US: PyForum
CVE-2009-5023 [fail2ban: Insecure creating/writing to tmpfile]
	- fail2ban 0.8.4+svn20110323-1 (low; bug #544232)
	[lenny] - fail2ban <no-dsa> (Minor issue)
	[squeeze] - fail2ban <no-dsa> (Minor issue)
CVE-2009-5004
	- qpid-cpp <not-affected> (Fixed before initial upload to archive)
CVE-2009-4900 [pixelpost XSS]
	- pixelpost <removed> (bug #597224)
	NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
CVE-2009-4899 [pixelpost SQL injection]
	- pixelpost <removed> (bug #597224)
	NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
CVE-2009-5050 [konversation DoS]
	- konversation 1.2.3-1 (low)
	[lenny] - konversation <not-affected> (Doesn't affect the combination of kdelibs/QT in Lenny)
	NOTE: http://bugs.kde.org/show_bug.cgi?id=219985
CVE-2009-5042 [docutils insecure usage of temporary files]
	- python-docutils 0.6-2 (low; bug #560755)
	[etch] - python-docutils <not-affected> (vulnerable code introduced in 0.5)
	[lenny] - python-docutils 0.5-2+lenny1
	NOTE: cve requested
CVE-2009-4067
	{DSA-2310-1}
	- linux-2.6 2.6.28-1 (low)
	NOTE: Driver was removed in 2.6.27
CVE-2009-4011 [dtc-xen race condition]
	- dtc-xen 0.5.4-1
	[lenny] - dtc-xen <not-affected> (Only affects 0.5.x)
CVE-2009-3887 [ytnef path traversal]
	- ytnef <removed> (bug #567631)
	[lenny] - ytnef <no-dsa> (Minor issue)
	NOTE: http://www.ocert.org/advisories/ocert-2009-013.html
	NOTE: This doesn't affect Evolution, the TNEF plugin is external
CVE-2009-5045 [multiple vulnerabilities in jetty]
	- jetty 6.1.22-1 (unimportant; bug #553644)
	NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
	NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5046 [multiple vulnerabilities in jetty]
	- jetty 6.1.22-1 (unimportant; bug #553644)
	NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
	NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5047 [multiple vulnerabilities in jetty]
	- jetty 6.1.22-1 (unimportant; bug #553644)
	NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
	NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5048 [multiple vulnerabilities in jetty]
	- jetty 6.1.22-1 (unimportant; bug #553644)
	NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
	NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5049 [multiple vulnerabilities in jetty]
	- jetty 6.1.22-1 (unimportant; bug #553644)
	NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
	NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-3724
	NOT-FOR-US: python-markdown2 (not our markdown, different code base)
CVE-2009-3723 [Unauthorized calls allowed on prohibited networks in asterisk]
	[etch] - asterisk <not-affected>
	[lenny] - asterisk <not-affected>
	- asterisk 1:1.6.2.0~rc3-2 (medium; bug #552756)
	NOTE: http://downloads.asterisk.org/pub/security/AST-2009-007.html
CVE-2009-3721 [ytnef buffer overflow]
	- ytnef <removed> (bug #567631)
	[lenny] - ytnef <no-dsa> (Minor issue)
	NOTE: http://www.ocert.org/advisories/ocert-2009-013.html
	NOTE: This doesn't affect Evolution, the TNEF plugin is external
CVE-2009-3614 [oping suid 0 arbitrary file disclosure]
	- liboping 1.3.3-1 (low; bug #548684)
	[lenny] - liboping <not-affected> (doesn't have -f option yet)
	[etch] - liboping <not-affected> (doesn't have -f option yet)
CVE-2009-3552
	NOT-FOR-US: Red Hat Enterprise Virtualization Manager
CVE-2009-5041 [buffer overflow in overkill]
	- overkill 0.16-14.1 (bug #549310; low)
	[lenny] - overkill <no-dsa> (Minor issue)
	[etch] - overkill <no-dsa> (Minor issue)
CVE-2009-5043 [burn: Insecure escaping of file names]
	- burn 0.4.5-1 (low; bug #542329)
	[lenny] - burn 0.4.3-2.1+lenny1
	[etch] - burn <no-dsa> (Minor issue)
CVE-2009-2802
	- mantis <not-affected> (Only affects 1.2.x)
	NOTE: http://www.mantisbt.org/bugs/view.php?id=11952
	NOTE: http://www.mantisbt.org/blog/?p=113
CVE-2009-0035 [alsainfo insecure temp file usage]
	- alsa-driver 1.0.20-1 (unimportant)
	NOTE: alsainfo not built into source package
-------------- next part --------------
CVE-2010-5111 [echoping buffer overflows]
	- echoping 6.0.2-4 (low; bug #606808)
	[squeeze] - echoping <no-dsa> (Minor issue)
	NOTE: Upstream fix http://sourceforge.net/p/echoping/bugs/55/
	NOTE: https://bugs.gentoo.org/show_bug.cgi?id=349569
	NOTE: http://xforce.iss.net/xforce/xfdb/64141
	NOTE: http://secunia.com/advisories/42619/
CVE-2010-5110 [poppler: JPEG error handler]
	- poppler 0.16.3-1 (bug #722705)
CVE-2010-5109 [libytnef: buffer overflow]
	- libytnef 1.5-5 (low; bug #705468)
	[squeeze] - libytnef <no-dsa> (Minor issue)
	[wheezy] - libytnef <no-dsa> (Minor issue)
	- claws-mail-extra-plugins <unfixed> (low)
	[squeeze] - claws-mail-extra-plugins <no-dsa> (Minor issue)
	[wheezy] - claws-mail-extra-plugins <no-dsa> (Minor issue)
CVE-2010-5108 [Trac Ticket Modification Workflow Permission Restriction Bypass]
	- trac 0.11.7-1 (bug #573260)
CVE-2010-5105 [blender /tmp/quit.blend temp file issue]
	- blender <unfixed> (low; bug #584621)
	[squeeze] - blender <no-dsa> (Minor issue)
	[wheezy] - blender <no-dsa> (Minor issue)
CVE-2010-5077 [quake3 reflective UDP denial of service]
	{DSA-2442-1}
	- openarena 0.8.5-6 (medium; bug #665656)
	- ioquake3 <not-affected> (fixed before upload)
	- tremulous 1.1.0-8 (bug #665842)
	[squeeze] - tremulous 1.1.0-7~squeeze1
CVE-2010-4820 [ghostscript split from CVE-2010-2055]
	- ghostscript 8.71~dfsg2-6.1
	[lenny] - ghostscript <no-dsa> (too risky for regressions)
CVE-2010-4817 [overwriting of arbitrary file via symlinks]
	- pithos 0.3.5-1
CVE-2010-4815
	NOT-FOR-US: coppermine gallery
CVE-2010-4777
	- perl <unfixed> (unimportant; bug #628836)
	NOTE: Only affects Perl builds with enabled assertions, i.e. the debugperl binary from perl-debug
CVE-2010-4664
	- consolekit 0.4.2-1 (low)
	[squeeze] - consolekit <no-dsa> (Minor issue)
CVE-2010-4662
	NOT-FOR-US: pmwiki
CVE-2010-4661 [arbitrary kernel module loading]
	- udisks 1.0.3-1
	[squeeze] - udisks <no-dsa> (Minor issue)
	NOTE: upstream bug https://bugs.freedesktop.org/show_bug.cgi?id=32232
	NOTE: fixed by http://cgit.freedesktop.org/udisks/commit/?id=c933a929f07421ec747cebb24d5e620fc2b97037
CVE-2010-4660
	- statusnet <itp> (bug #491723)
CVE-2010-4659
	- statusnet <itp> (bug #491723)
CVE-2010-4658
	- statusnet <itp> (bug #491723)
CVE-2010-4657 [xmlTextWriterWriteAttribute heap disclosure]
	- php5 <unfixed> (low)
	[wheezy] - php5 <no-dsa> (Minor issue)
	[squeeze] - php5 <no-dsa> (Minor issue)
	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=631551
	NOTE: This was initially reported to be a bug in libxml2, but it later showed that PHP
	NOTE: is using the libxml2 API in an incorrect manner
CVE-2010-4654 [Malformed commands may cause corruption of the internal stack]
	- kdegraphics <not-affected> (no stackheight)
	- xpdf <not-affected> (no stackheight) 
	- poppler 0.16.3-1
	[lenny] - poppler <not-affected> (stackheights introduced after 0.12)
	[squeeze] - poppler <not-affected> (stackheights introduced after 0.12)
	NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9
CVE-2010-4653 [integer overflow when parsing CharCodes for fonts]
	- kdegraphics 4.0
	- xpdf 3.02-9
	- poppler 0.16.3-1 (low)
	[lenny] - poppler <no-dsa> (minor issue)
	[squeeze] - poppler 0.12.4-1.2+squeeze1
	NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659
CVE-2010-4533 [offlineimap uses SSLv2]
	- offlineimap <unfixed> (low; bug #606962)
	[wheezy] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
	[squeeze] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
	[lenny] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
CVE-2010-4532 [no SSL cert validation]
	- offlineimap 6.3.2~rc3-2 (low; bug #603450)
	[squeeze] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
	[lenny] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
CVE-2010-4245
	- pootle 2.0.5-0.3 (low; bug #604060)
	[lenny] - pootle <not-affected> (Vulnerable code not present)
CVE-2010-4241
	- tikiwiki <removed>
CVE-2010-4240
	- tikiwiki <removed>
CVE-2010-4239
	- tikiwiki <removed>
CVE-2010-4178
	- mysql-gui-tools <unfixed> (low; bug #605542)
	[squeeze] - mysql-gui-tools <no-dsa> (Minor issue)
	[lenny] - mysql-gui-tools <no-dsa> (Minor issue)
CVE-2010-4177
	- mysql-gui-tools <unfixed> (low; bug #605542)
	[squeeze] - mysql-gui-tools <no-dsa> (Minor issue)
	[lenny] - mysql-gui-tools <no-dsa> (Minor issue)
CVE-2010-3857 [JBoss BRMS XSS via UUID parameter]
	- jbossas4 <not-affected> (Vulnerable code not present)
	NOTE: JBoss 5 only; fixed in 5.1.0
CVE-2010-3844
	- ettercap <unfixed> (unimportant; bug #600130)
	NOTE: Very far-fetched attack vector
CVE-2010-3843
	- ettercap <unfixed> (unimportant; bug #600130)
	NOTE: Very far-fetched attack vector
CVE-2010-3845
	- libapache-authenhook-perl 2.00-04+pristine-2 (low; bug #599712)
	[lenny] - libapache-authenhook-perl 2.00-04+pristine-1+lenny1
CVE-2010-4237
	- mercurial 1.6.4-1 (low; bug #598841)
	[lenny] - mercurial <no-dsa> (Minor issue)
CVE-2010-3659 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3660 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3661 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3662 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3663 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3664 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3665 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3666 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3667 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3668 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3669 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3670 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3671 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3672 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3673 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3674 [Multiple security issues]
	{DSA-2098-1}
	- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3440 [babiloo insecure downloading and unpacking of dictionary files]
	- babiloo 2.0.11-1 (low; bug #591995)
CVE-2010-3439 [alien-arena: server dos]
	- alien-arena 7.33-5 (low; bug #575621)
	[lenny] - alien-arena 7.0-1+lenny2
CVE-2010-3438 [Insufficient stripping of CR/LF allows arbitrary IRC command execution]
	- libpoe-component-irc-perl 6.32+dfsg-1
	[lenny] - libpoe-component-irc-perl 5.84+dfsg-1+lenny1 (bug #581194)
CVE-2010-3375
	- qtparted 0.4.5-8 (low; bug #598301)
	[lenny] - qtparted <no-dsa> (Minor issue)
CVE-2010-3373
	- paxtest 1:0.9.9-1 (unimportant; bug #598413)
CVE-2010-3359 [gargoyle: insecure library loading]
	- gargoyle-free 2009-08-25-2
	NOTE: http://groups.google.com/group/garglk-dev/browse_thread/thread/1c92ab6f24d5ebe6
CVE-2010-3305 [pixel CSRF]
	- pixelpost <removed> (bug #597224)
CVE-2010-3299 [ruby on rails: padding oracle attack]
	- rails <unfixed> (unimportant)
	NOTE: http://seclists.org/oss-sec/2010/q3/415
	NOTE: http://seclists.org/oss-sec/2010/q3/413
	NOTE: http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf
CVE-2010-3295 [drivers/net/tulip/de4x5.c: reading uninitialized stack memory]
	NOTE: assigned to linux-2.6, but claimed not a problem: http://www.openwall.com/lists/oss-security/2010/09/15/2
	NOTE: will probably get rejected
CVE-2010-3282
	NOT-FOR-US: Red Hat Directory Server
CVE-2010-3293 [mailscanner virus updates DoS]
	- mailscanner <removed> (bug #596397; unimportant)
	NOTE: or even unimportant, the script is not used by default
CVE-2010-3292 [mailscanner may use spoofed data]
	- mailscanner <removed> (bug #596396; low)
	[squeeze] - mailscanner <no-dsa> (Minor issue)
CVE-2010-3095 [mailscanner incomplete fix for CVE-2008-5313]
	- mailscanner 4.79.11-2.1 (bug #596403)
CVE-2010-3090 [mailman, will be rejected]
	NOT-FOR-US: ** REJECT ** mailman
CVE-2010-2783
	- openjdk-6 6b18-1.8.1-1
CVE-2010-2548
	- openjdk-6 6b18-1.8.1-1
CVE-2010-2490 [murmur DoS via malformed client query]
	- mumble 1.2.2-4 (bug #587713)
	[lenny] - mumble <no-dsa> (Minor issue)
	- qt4-x11 <not-affected> (low; bug #587713)
CVE-2010-2488 [znc null pointer deref]
	{DSA-2069-1}
	- znc 0.090-2 (bug #584929)
CVE-2010-2476 [syscp open_basedir bypassing]
	- syscp <removed> (bug #587481)
CVE-2010-2247 [makepasswd: insecure passwords generated with default settings]
	- makepasswd 1.10-5 (low; bug #564559)
	[lenny] - makepasswd 1.10-3+lenny1
CVE-2010-2243 [timekeeping oops]
	- linux-2.6 2.6.32-11
	[lenny] - linux-2.6 <not-affected> (Vulnerable code not present)
CVE-2010-2236
	NOT-FOR-US: Red Hat Satellite
CVE-2010-2222
	NOT-FOR-US: Red Hat Directory Server
CVE-2010-2064
	- rpcbind 0.2.0-4.1
	NOTE: This version changed the state directory to /var/run/rpcbind, which is only writable by root
CVE-2010-2062 [VLC: integer underflow in Real RTSP]
	{DSA-2044-1 DSA-2043-1}
	- vlc 1.0.1-1
	[lenny] - vlc 0.8.6.h-4+lenny2.3 
	- mplayer 2:1.0~rc3+svn20100502-3 (medium; bug #581245)
	[lenny] - mplayer 1.0~rc2-17+lenny3.2
	- xine-lib <not-affected> (immune due to additional check in xio_rw_abbort())
	NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=dc74600c97eb834c08674676e209afa842053aca
	NOTE: http://dzcore.wordpress.com/2009/07/27/dzc-2009-001-the-movie-player-and-vlc-media-player-real-data-transport-parsing-integer-underflow/
	NOTE: DSA-2043 and DSA-2044
CVE-2010-2061
	- rpcbind 0.2.0-4.1
CVE-2010-1765
	- webkit <not-affected> (doesn't include cf code)
	- chromium-browser 5.0.375.55~r47796-1
	NOTE: https://bugs.webkit.org/show_bug.cgi?id=37933
	NOTE: http://trac.webkit.org/changeset/57995
CVE-2010-1678
	- mapserver 5.6.5-2
	NOTE: http://trac.osgeo.org/mapserver/ticket/3641
CVE-2010-1673 [ikiwiki xss due to insufficient html scrubbing]
	- ikiwiki 3.20101112
	[squeeze] - ikiwiki 3.20100815.2
	[lenny] - ikiwiki <not-affected>
CVE-2010-2447 [gitolite "not filtering src/ or hooks/ from pathnames"]
	- gitolite 1.4.2-1 (low)
	NOTE: http://secunia.com/advisories/39587/
CVE-2010-1445 [Heap buffer overflow in RTMP access]
	- vlc 1.0.6-1
	[lenny] - vlc <not-affected> (Vulnerable code not present)
	NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-1444 [Invalid memory access in ZIP archive decompressor]
	- vlc 1.0.6-1
	[lenny] - vlc <not-affected> (Vulnerable code not present)
	NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-1443 [Invalid memory access in XSPF playlist parser]
	- vlc 1.0.6-1 (unimportant)
	NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-1442 [Invalid memory access in AVI, ASF, Matroska (MKV) demuxers]
	- vlc 1.0.6-1
	[lenny] - vlc 0.8.6.h-4+lenny3
	NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-1441 [Heap buffer overflow vulnerability in A/52, DTS and MPEG Audio decoders]
	- vlc 1.0.6-1
	[lenny] - vlc 0.8.6.h-4+lenny3
	NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-2449 [gource: predictable log file located in /tmp]
	- gource 0.26-2 (low; bug #577958)
CVE-2010-1154
	- irssi 0.8.15-1 (low)
	[lenny] - irssi <no-dsa> (Minor issue)
CVE-2010-2446 [Rbot Owner Reaction Command Execution]
	- rbot 0.9.14-2 (bug #575286)
	[lenny] - rbot <not-affected> ("reaction" plugin not present in 0.9.10)
	[etch] - rbot <not-affected> ("reaction" plugin not present in 0.9.10)
CVE-2010-0747 [linux-2.6 drbd connector issue]
	{DSA-2015-1}
	- linux-2.6 <not-affected> (drbd introduced for the first time in 2.6.32-12, which included the fix for this issue, so no supported debian kernel was ever affected)
	- drbd8 2:8.3.7-1
	[lenny] - drbd8 2:8.0.14-2+lenny1
	NOTE: CVE requested at http://www.openwall.com/lists/oss-security/2010/03/11/9
CVE-2010-2450 [shibboleth-sp2: world-readable key]
	- shibboleth-sp2 2.3.1+dfsg-2 (low; bug #571631)
	[lenny] - shibboleth-sp2 <no-dsa> (Minor issue)
	- shibboleth-sp <not-affected> (Vulnerable code not present)
CVE-2010-2473 [Blocked user session regeneration]
	{DSA-2016-1}
	- drupal6 6.18-1 (bug #592716)
CVE-2010-2472 [Locale module cross site scripting]
	{DSA-2016-1}
	- drupal6 6.18-1 (bug #592716)
CVE-2010-2471 [Open redirection]
	{DSA-2016-1}
	- drupal6 6.18-1 (bug #592716)
CVE-2010-2250 [Installation cross site scripting]
	{DSA-2016-1}
	- drupal6 6.18-1 (bug #592716)
CVE-2010-0749
	- transmission 1.92-1 (unimportant; bug #574507)
CVE-2010-0748 [transmission magnet links parser buffer overflow]
	- transmission 1.92-1 (medium; bug #574507)
	[lenny] - transmission <not-affected> (Support for Magnet links not yet available)
CVE-2010-0737
	NOT-FOR-US: JBoss Operations Network
CVE-2010-0474
	{DSA-2188-1}
	- webkit <undetermined>
CVE-2010-0398 [autokey arbitrary file overwriting via symlinks]
	- autokey 0.61.3-2
CVE-2010-0207 [xpdf: XRef table parsing infinite loop]
	- kdegraphics 4.0 (unimportant)
	- xpdf <unfixed> (unimportant)
	- poppler 0.16.3-1 (unimportant)
	[squeeze] - poppler 0.12.4-1.2+squeeze1
	NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=28172
	NOTE: Just a crasher, not treated as a security issue
CVE-2010-0206 [xpdf: Invalid pointer dereference by processing JBIG2 PDF stream objects]
	- kdegraphics 4.0 (unimportant)
	- xpdf <unfixed>  (unimportant)
	- poppler 0.16.3-1 (unimportant)
	[squeeze] - poppler 0.12.4-1.2+squeeze1
	NOTE: Just a crasher, not treated as a security issue