[Midnightbsd-cvs] mports [19644] trunk/security/vuxml/vuln.xml: update list
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sat Aug 1 09:02:09 EDT 2015
Revision: 19644
http://svnweb.midnightbsd.org/mports/?rev=19644
Author: laffer1
Date: 2015-08-01 09:02:09 -0400 (Sat, 01 Aug 2015)
Log Message:
-----------
update list
Modified Paths:
--------------
trunk/security/vuxml/vuln.xml
Modified: trunk/security/vuxml/vuln.xml
===================================================================
--- trunk/security/vuxml/vuln.xml 2015-08-01 13:00:24 UTC (rev 19643)
+++ trunk/security/vuxml/vuln.xml 2015-08-01 13:02:09 UTC (rev 19644)
@@ -28,7 +28,7 @@
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- $FreeBSD: head/security/vuxml/vuln.xml 392130 2015-07-15 12:46:08Z tijl $
+ $FreeBSD: head/security/vuxml/vuln.xml 393358 2015-07-31 16:36:08Z feld $
QUICK GUIDE TO ADDING A NEW ENTRY
@@ -58,22 +58,1079 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="4622635f-37a1-11e5-9970-14dae9d210b8">
+ <topic>net-snmp -- snmptrapd crash</topic>
+ <affects>
+ <package>
+ <name>net-snmp</name>
+ <range><ge>5.7.0</ge><le>5.7.2.1</le></range>
+ <range><ge>5.6.0</ge><le>5.6.2.1</le></range>
+ <range><ge>5.5.0</ge><le>5.5.2.1</le></range>
+ <range><ge>5.4.0</ge><le>5.4.4</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Murray McAllister reports:</p>
+ <blockquote cite="http://seclists.org/oss-sec/2014/q3/473">
+ <p>A remote denial-of-service flaw was found in the way
+ snmptrapd handled certain SNMP traps when started with the
+ "-OQ" option. If an attacker sent an SNMP trap containing a
+ variable with a NULL type where an integer variable type was
+ expected, it would cause snmptrapd to crash.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://seclists.org/oss-sec/2014/q3/473</url>
+ <url>http://sourceforge.net/p/net-snmp/code/ci/7f4a7b891332899cea26e95be0337aae01648742/</url>
+ <url>https://sourceforge.net/p/net-snmp/official-patches/48/</url>
+ <cvename>CVE-2014-3565</cvename>
+ </references>
+ <dates>
+ <discovery>2014-07-31</discovery>
+ <entry>2015-07-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="381183e8-3798-11e5-9970-14dae9d210b8">
+ <topic>net-snmp -- snmp_pdu_parse() function incomplete initialization</topic>
+ <affects>
+ <package>
+ <name>net-snmp</name>
+ <range><le>5.7.3_7</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Qinghao Tang reports:</p>
+ <blockquote cite="http://seclists.org/oss-sec/2015/q2/116">
+ <p>Incompletely initialized vulnerability exists in the function
+ ‘snmp_pdu_parse()’ of ‘snmp_api.c', and remote attackers can cause memory
+ leak, DOS and possible command executions by sending malicious packets.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://seclists.org/oss-sec/2015/q2/116</url>
+ <url>http://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1212408</url>
+ <cvename>CVE-2015-5621</cvename>
+ </references>
+ <dates>
+ <discovery>2015-04-11</discovery>
+ <entry>2015-07-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="731cdeaa-3564-11e5-9970-14dae9d210b8">
+ <topic>bind -- denial of service vulnerability</topic>
+ <affects>
+ <package>
+ <name>bind910</name>
+ <range><lt>9.10.2P3</lt></range>
+ </package>
+ <package>
+ <name>bind99</name>
+ <range><lt>9.9.7P2</lt></range>
+ </package>
+ <package>
+ <name>bind910-base</name>
+ <name>bind99-base</name>
+ <range><gt>0</gt></range>
+ </package>
+ <package>
+ <name>FreeBSD</name>
+ <range><gt>9.3</gt><le>9.3_20</le></range>
+ <range><gt>8.4</gt><le>8.4_34</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>ISC reports:</p>
+ <blockquote cite="https://kb.isc.org/article/AA-01272/">
+ <p>An error in the handling of TKEY queries can be exploited
+ by an attacker for use as a denial-of-service vector, as a constructed
+ packet can use the defect to trigger a REQUIRE assertion failure,
+ causing BIND to exit.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-5477</cvename>
+ <url>https://kb.isc.org/article/AA-01272/</url>
+ </references>
+ <dates>
+ <discovery>2015-07-21</discovery>
+ <entry>2015-07-28</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5b74a5bc-348f-11e5-ba05-c80aa9043978">
+ <topic>OpenSSH -- MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices</topic>
+ <affects>
+ <package>
+ <name>openssh-portable</name>
+ <range><lt>6.9.p1_2,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <blockquote cite="https://access.redhat.com/security/cve/CVE-2015-5600">
+ <p>It was discovered that the OpenSSH sshd daemon did not check the
+ list of keyboard-interactive authentication methods for duplicates.
+ A remote attacker could use this flaw to bypass the MaxAuthTries
+ limit, making it easier to perform password guessing attacks.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://access.redhat.com/security/cve/CVE-2015-5600</url>
+ <cvename>CVE-2015-5600</cvename>
+ </references>
+ <dates>
+ <discovery>2015-07-21</discovery>
+ <entry>2015-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c470bcc7-33fe-11e5-a4a5-002590263bf5">
+ <topic>logstash -- SSL/TLS vulnerability with Lumberjack input</topic>
+ <affects>
+ <package>
+ <name>logstash</name>
+ <range><lt>1.4.4</lt></range>
+ <range><ge>1.5.0</ge><lt>1.5.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Elastic reports:</p>
+ <blockquote cite="https://www.elastic.co/community/security">
+ <p>Vulnerability Summary: All Logstash versions prior to 1.5.2 that
+ use Lumberjack input (in combination with Logstash Forwarder agent)
+ are vulnerable to a SSL/TLS security issue called the FREAK attack.
+ This allows an attacker to intercept communication and access secure
+ data. Users should upgrade to 1.5.3 or 1.4.4.</p>
+ <p>Remediation Summary: Users that do not want to upgrade can address
+ the vulnerability by disabling the Lumberjack input.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-5378</cvename>
+ <url>https://www.elastic.co/community/security</url>
+ </references>
+ <dates>
+ <discovery>2015-07-22</discovery>
+ <entry>2015-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9d732078-32c7-11e5-b263-00262d5ed8ee">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>44.0.2403.89</lt></range>
+ </package>
+ <package>
+ <!-- pcbsd -->
+ <name>chromium-npapi</name>
+ <range><lt>44.0.2403.89</lt></range>
+ </package>
+ <package>
+ <!-- pcbsd -->
+ <name>chromium-pulse</name>
+ <range><lt>44.0.2403.89</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="http://googlechromereleases.blogspot.nl/">
+ <p>43 security fixes in this release, including:</p>
+ <ul>
+ <li>[446032] High CVE-2015-1271: Heap-buffer-overflow in pdfium.
+ Credit to cloudfuzzer.</li>
+ <li>[459215] High CVE-2015-1273: Heap-buffer-overflow in pdfium.
+ Credit to makosoft.</li>
+ <li>[461858] High CVE-2015-1274: Settings allowed executable files
+ to run immediately after download. Credit to andrewm.bpi.</li>
+ <li>[462843] High CVE-2015-1275: UXSS in Chrome for Android. Credit
+ to WangTao(neobyte) of Baidu X-Team.</li>
+ <li>[472614] High CVE-2015-1276: Use-after-free in IndexedDB.
+ Credit to Collin Payne.</li>
+ <li>[483981] High CVE-2015-1279: Heap-buffer-overflow in pdfium.
+ Credit to mlafon.</li>
+ <li>[486947] High CVE-2015-1280: Memory corruption in skia. Credit
+ to cloudfuzzer.</li>
+ <li>[487155] High CVE-2015-1281: CSP bypass. Credit to Masato
+ Kinugawa.</li>
+ <li>[487928] High CVE-2015-1282: Use-after-free in pdfium. Credit
+ to Chamal de Silva.</li>
+ <li>[492052] High CVE-2015-1283: Heap-buffer-overflow in expat.
+ Credit to sidhpurwala.huzaifa.</li>
+ <li>[493243] High CVE-2015-1284: Use-after-free in blink. Credit to
+ Atte Kettunen of OUSPG.</li>
+ <li>[504011] High CVE-2015-1286: UXSS in blink. Credit to
+ anonymous.</li>
+ <li>[505374] High CVE-2015-1290: Memory corruption in V8. Credit to
+ Yongjun Liu of NSFOCUS Security Team.</li>
+ <li>[419383] Medium CVE-2015-1287: SOP bypass with CSS. Credit to
+ filedescriptor.</li>
+ <li>[444573] Medium CVE-2015-1270: Uninitialized memory read in
+ ICU. Credit to Atte Kettunen of OUSPG.</li>
+ <li>[451456] Medium CVE-2015-1272: Use-after-free related to
+ unexpected GPU process termination. Credit to Chamal de
+ Silva.</li>
+ <li>[479743] Medium CVE-2015-1277: Use-after-free in accessibility.
+ Credit to SkyLined.</li>
+ <li>[482380] Medium CVE-2015-1278: URL spoofing using pdf files.
+ Credit to Chamal de Silva.</li>
+ <li>[498982] Medium CVE-2015-1285: Information leak in XSS auditor.
+ Credit to gazheyes.</li>
+ <li>[479162] Low CVE-2015-1288: Spell checking dictionaries fetched
+ over HTTP. Credit to mike at michaelruddy.com.</li>
+ <li>[512110] CVE-2015-1289: Various fixes from internal audits,
+ fuzzing and other initiatives.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-1270</cvename>
+ <cvename>CVE-2015-1271</cvename>
+ <cvename>CVE-2015-1272</cvename>
+ <cvename>CVE-2015-1273</cvename>
+ <cvename>CVE-2015-1274</cvename>
+ <cvename>CVE-2015-1275</cvename>
+ <cvename>CVE-2015-1276</cvename>
+ <cvename>CVE-2015-1277</cvename>
+ <cvename>CVE-2015-1278</cvename>
+ <cvename>CVE-2015-1279</cvename>
+ <cvename>CVE-2015-1280</cvename>
+ <cvename>CVE-2015-1281</cvename>
+ <cvename>CVE-2015-1282</cvename>
+ <cvename>CVE-2015-1283</cvename>
+ <cvename>CVE-2015-1284</cvename>
+ <cvename>CVE-2015-1285</cvename>
+ <cvename>CVE-2015-1286</cvename>
+ <cvename>CVE-2015-1287</cvename>
+ <cvename>CVE-2015-1288</cvename>
+ <cvename>CVE-2015-1289</cvename>
+ <cvename>CVE-2015-1290</cvename>
+ <url>http://googlechromereleases.blogspot.nl/</url>
+ </references>
+ <dates>
+ <discovery>2015-07-21</discovery>
+ <entry>2015-07-25</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b202e4ce-3114-11e5-aa32-0026551a22dc">
+ <topic>shibboleth-sp -- DoS vulnerability</topic>
+ <affects>
+ <package>
+ <name>xmltooling</name>
+ <range><lt>1.5.5</lt></range>
+ </package>
+ <package>
+ <name>opensaml2</name>
+ <range><lt>2.5.5</lt></range>
+ </package>
+ <package>
+ <name>shibboleth-sp</name>
+ <range><lt>2.5.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Shibboleth consortium reports:</p>
+ <blockquote cite="http://shibboleth.net/community/advisories/secadv_20150721.txt">
+ <p>
+ Shibboleth SP software crashes on well-formed but invalid XML.
+ </p>
+ <p>
+ The Service Provider software contains a code path with an uncaught
+ exception that can be triggered by an unauthenticated attacker by
+ supplying well-formed but schema-invalid XML in the form of SAML
+ metadata or SAML protocol messages. The result is a crash and so
+ causes a denial of service.
+ </p>
+ <p>
+ You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or
+ later. The easiest way to do so is to update the whole chain including
+ shibboleth-2.5.5 an opensaml2.5.5.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://shibboleth.net/community/advisories/secadv_20150721.txt</url>
+ <cvename>CVE-2015-2684</cvename>
+ </references>
+ <dates>
+ <discovery>2015-07-21</discovery>
+ <entry>2015-07-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c80b27a2-3165-11e5-8a1d-14dae9d210b8">
+ <topic>wordpress -- XSS vulnerability</topic>
+ <affects>
+ <package>
+ <name>wordpress</name>
+ <range><lt>4.2.3,1</lt></range>
+ </package>
+ <package>
+ <name>de-wordpress</name>
+ <name>ja-wordpress</name>
+ <name>ru-wordpress</name>
+ <name>zh-wordpress-zh_CH</name>
+ <name>zh-wordpress-zh_TW</name>
+ <range><lt>4.2.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gary Pendergast reports:</p>
+ <blockquote cite="https://wordpress.org/news/2015/07/wordpress-4-2-3/">
+ <p>WordPress versions 4.2.2 and earlier are affected by a
+ cross-site scripting vulnerability, which could allow users with the
+ Contributor or Author role to compromise a site. This was reported by
+ Jon Cave and fixed by Robert Chapin, both of the WordPress security
+ team.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://wordpress.org/news/2015/07/wordpress-4-2-3/</url>
+ <cvename>CVE-2015-5622</cvename>
+ <cvename>CVE-2015-5623</cvename>
+ </references>
+ <dates>
+ <discovery>2015-07-23</discovery>
+ <entry>2015-07-23</entry>
+ <modified>2015-07-24</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="4caf01e2-30e6-11e5-a4a5-002590263bf5">
+ <topic>libidn -- out-of-bounds read issue with invalid UTF-8 input</topic>
+ <affects>
+ <package>
+ <name>libidn</name>
+ <range><lt>1.3.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Simon Josefsson reports:</p>
+ <blockquote cite="http://git.savannah.gnu.org/cgit/libidn.git/plain/NEWS?id=libidn-1-31">
+ <p>stringprep_utf8_to_ucs4 now rejects invalid UTF-8. This function
+ has always been documented to not validate that the input UTF-8
+ string is actually valid UTF-8...
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-2059</cvename>
+ <url>http://git.savannah.gnu.org/cgit/libidn.git/plain/NEWS?id=libidn-1-31</url>
+ </references>
+ <dates>
+ <discovery>2015-02-09</discovery>
+ <entry>2015-07-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9dd761ff-30cb-11e5-a4a5-002590263bf5">
+ <topic>sox -- memory corruption vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>sox</name>
+ <range><le>14.4.2</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Michele Spagnuolo, Google Security Team, reports:</p>
+ <blockquote cite="http://seclists.org/oss-sec/2015/q3/167">
+ <p>The write heap buffer overflows are related to ADPCM handling in
+ WAV files, while the read heap buffer overflow is while opening a
+ .VOC.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://seclists.org/oss-sec/2015/q3/167</url>
+ </references>
+ <dates>
+ <discovery>2015-07-22</discovery>
+ <entry>2015-07-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="92cda470-30cb-11e5-a4a5-002590263bf5">
+ <topic>sox -- input sanitization errors</topic>
+ <affects>
+ <package>
+ <name>sox</name>
+ <range><lt>14.4.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>oCERT reports:</p>
+ <blockquote cite="http://www.ocert.org/advisories/ocert-2014-010.html">
+ <p>The sox command line tool is affected by two heap-based buffer
+ overflows, respectively located in functions start_read() and
+ AdpcmReadBlock().</p>
+ <p>A specially crafted wav file can be used to trigger the
+ vulnerabilities.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <bid>71774</bid>
+ <cvename>CVE-2014-8145</cvename>
+ <url>http://www.ocert.org/advisories/ocert-2014-010.html</url>
+ </references>
+ <dates>
+ <discovery>2014-11-20</discovery>
+ <entry>2015-07-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="95eee71d-3068-11e5-a9b5-bcaec565249c">
+ <topic>gdk-pixbuf2 -- heap overflow and DoS affecting Firefox and other programs</topic>
+ <affects>
+ <package>
+ <name>gdk-pixbuf2</name>
+ <range><lt>2.31.2_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>gustavo.grieco at imag.fr reports:</p>
+ <blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=752297">
+ <p>We found a heap overflow and a DoS in the gdk-pixbuf
+ implementation triggered by the scaling of a malformed bmp.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugzilla.gnome.org/show_bug.cgi?id=752297</url>
+ </references>
+ <dates>
+ <discovery>2015-07-12</discovery>
+ <entry>2015-07-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8a1d0e63-1e07-11e5-b43d-002590263bf5">
+ <topic>pcre -- Heap Overflow Vulnerability in find_fixedlength()</topic>
+ <affects>
+ <package>
+ <name>pcre</name>
+ <range><le>8.37_1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Venustech ADLAB reports:</p>
+ <blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1651">
+ <p>PCRE library is prone to a vulnerability which leads to Heap
+ Overflow. During subpattern calculation of a malformed regular
+ expression, an offset that is used as an array index is fully
+ controlled and can be large enough so that unexpected heap
+ memory regions are accessed.</p>
+ <p>One could at least exploit this issue to read objects nearby of
+ the affected application's memory.</p>
+ <p>Such information disclosure may also be used to bypass memory
+ protection method such as ASLR.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-5073</cvename>
+ <url>https://bugs.exim.org/show_bug.cgi?id=1651</url>
+ <url>http://vcs.pcre.org/pcre?view=revision&revision=1571</url>
+ <mlist>http://www.openwall.com/lists/oss-security/2015/06/26/1</mlist>
+ </references>
+ <dates>
+ <discovery>2015-06-23</discovery>
+ <entry>2015-06-29</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="0bfda05f-2e6f-11e5-a4a5-002590263bf5">
+ <topic>cacti -- Multiple XSS and SQL injection vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>cacti</name>
+ <range><lt>0.8.8e</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Cacti Group, Inc. reports:</p>
+ <blockquote cite="http://www.cacti.net/release_notes_0_8_8e.php">
+ <p>Important Security Fixes</p>
+ <ul>
+ <li>Multiple XSS and SQL injection vulnerabilities</li>
+ <li>CVE-2015-4634 - SQL injection in graphs.php</li>
+ </ul>
+ <p>Changelog</p>
+ <ul>
+ <li>bug: Fixed various SQL Injection vectors</li>
+ <li>bug#0002574: SQL Injection Vulnerabilities in graph items and
+ graph template items</li>
+ <li>bug#0002577: CVE-2015-4634 - SQL injection in graphs.php</li>
+ <li>bug#0002579: SQL Injection Vulnerabilities in data sources</li>
+ <li>bug#0002580: SQL Injection in cdef.php</li>
+ <li>bug#0002582: SQL Injection in data_templates.php</li>
+ <li>bug#0002583: SQL Injection in graph_templates.php</li>
+ <li>bug#0002584: SQL Injection in host_templates.php</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-4634</cvename>
+ <freebsdpr>ports/201702</freebsdpr>
+ <url>http://www.cacti.net/release_notes_0_8_8e.php</url>
+ <mlist>http://seclists.org/oss-sec/2015/q3/150</mlist>
+ </references>
+ <dates>
+ <discovery>2015-07-12</discovery>
+ <entry>2015-07-20</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8b1f53f3-2da5-11e5-86ff-14dae9d210b8">
+ <topic>php-phar -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>php55-phar</name>
+ <range><lt>5.5.27</lt></range>
+ </package>
+ <package>
+ <name>php5-phar</name>
+ <range><lt>5.4.43</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p> reports:</p>
+ <blockquote cite="http://seclists.org/oss-sec/2015/q3/141">
+ <p>Segfault in Phar::convertToData on invalid file.</p>
+ <p>Buffer overflow and stack smashing error in phar_fix_filepath.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <mlist>http://seclists.org/oss-sec/2015/q3/141</mlist>
+ <url>https://bugs.php.net/bug.php?id=69958</url>
+ <url>http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf</url>
+ <url>https://bugs.php.net/bug.php?id=69923</url>
+ <url>http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f</url>
+ <cvename>CVE-2015-5589</cvename>
+ <cvename>CVE-2015-5590</cvename>
+ </references>
+ <dates>
+ <discovery>2015-06-24</discovery>
+ <entry>2015-07-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="43891162-2d5e-11e5-a4a5-002590263bf5">
+ <topic>moodle -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>moodle27</name>
+ <range><lt>2.7.9</lt></range>
+ </package>
+ <package>
+ <name>moodle28</name>
+ <range><lt>2.8.7</lt></range>
+ </package>
+ <package>
+ <name>moodle29</name>
+ <range><lt>2.9.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Marina Glancy reports:</p>
+ <blockquote cite="http://seclists.org/oss-sec/2015/q3/94">
+ <p>MSA-15-0026: Possible phishing when redirecting to external site
+ using referer header. (CVE-2015-3272)</p>
+ <p>MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not
+ respected when using 'Post a copy to all groups' in forum
+ (CVE-2015-3273)</p>
+ <p>MSA-15-0028: Possible XSS through custom text profile fields in Web
+ Services (CVE-2015-3274)</p>
+ <p>MSA-15-0029: Javascript injection in SCORM module (CVE-2015-3275)
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-3272</cvename>
+ <cvename>CVE-2015-3273</cvename>
+ <cvename>CVE-2015-3274</cvename>
+ <cvename>CVE-2015-3275</cvename>
+ <mlist>http://seclists.org/oss-sec/2015/q3/94</mlist>
+ <url>https://docs.moodle.org/dev/Moodle_2.7.9_release_notes</url>
+ <url>https://docs.moodle.org/dev/Moodle_2.8.7_release_notes</url>
+ <url>https://docs.moodle.org/dev/Moodle_2.9.1_release_notes</url>
+ </references>
+ <dates>
+ <discovery>2015-07-06</discovery>
+ <entry>2015-07-18</entry>
+ <modified>2015-07-19</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="29083f8e-2ca8-11e5-86ff-14dae9d210b8">
+ <topic>apache22 -- chunk header parsing defect</topic>
+ <affects>
+ <package>
+ <name>apache22</name>
+ <name>apache22-event-mpm</name>
+ <name>apache22-itk-mpm</name>
+ <name>apache22-peruser-mpm</name>
+ <name>apache22-worker-mpm</name>
+ <range><le>2.2.29_5</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Apache Foundation reports:</p>
+ <blockquote cite="http://www.apache.org/dist/httpd/Announcement2.2.html">
+ <p>CVE-2015-3183 core: Fix chunk header parsing defect. Remove
+ apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN
+ filter, parse chunks in a single pass with zero copy. Limit accepted
+ chunk-size to 2^63-1 and be strict about chunk-ext authorized
+ characters.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.apache.org/dist/httpd/Announcement2.2.html</url>
+ <url>https://github.com/apache/httpd/commit/29779fd08c18b18efc5e640d74cbe297c7ec007e</url>
+ <cvename>CVE-2015-3183</cvename>
+ </references>
+ <dates>
+ <discovery>2015-06-24</discovery>
+ <entry>2015-07-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5c399624-2bef-11e5-86ff-14dae9d210b8">
+ <topic>zenphoto -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>zenphoto</name>
+ <range><lt>1.4.9</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>zenphoto reports:</p>
+ <blockquote cite="http://www.zenphoto.org/news/zenphoto-1.4.9">
+ <p>Fixes several SQL Injection, XSS and path traversal
+ security issues</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.zenphoto.org/news/zenphoto-1.4.9</url>
+ <mlist>http://seclists.org/oss-sec/2015/q3/123</mlist>
+ <url>https://github.com/zenphoto/zenphoto/pull/935</url>
+ <cvename>CVE-2015-5591</cvename>
+ <cvename>CVE-2015-5592</cvename>
+ <cvename>CVE-2015-5593</cvename>
+ <cvename>CVE-2015-5594</cvename>
+ <cvename>CVE-2015-5595</cvename>
+ </references>
+ <dates>
+ <discovery>2015-05-24</discovery>
+ <entry>2015-07-16</entry>
+ <modified>2015-07-18</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="67b3fef2-2bea-11e5-86ff-14dae9d210b8">
+ <topic>groovy -- remote execution of untrusted code</topic>
+ <affects>
+ <package>
+ <name>groovy</name>
+ <range><ge>1.7.0</ge><lt>2.4.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Cédric Champeau reports:</p>
+ <blockquote cite="http://seclists.org/oss-sec/2015/q3/121">
+ <p>Description</p>
+ <p>When an application has Groovy on the classpath and that
+ it uses standard Java serialization mechanim to communicate
+ between servers, or to store local data, it is possible for
+ an attacker to bake a special serialized object that will
+ execute code directly when deserialized. All applications
+ which rely on serialization and do not isolate the code which
+ deserializes objects are subject to this vulnerability.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <mlist>http://seclists.org/oss-sec/2015/q3/121</mlist>
+ <url>http://groovy-lang.org/security.html</url>
+ <url>https://issues.apache.org/jira/browse/GROOVY-7504</url>
+ <cvename>CVE-2015-3253</cvename>
+ </references>
+ <dates>
+ <discovery>2015-07-09</discovery>
+ <entry>2015-07-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a928960a-2bdc-11e5-86ff-14dae9d210b8">
+ <topic>libav -- divide by zero</topic>
+ <affects>
+ <package>
+ <name>libav</name>
+ <range><le>11.3_2</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Agostino Sarubbo reports:</p>
+ <blockquote cite="https://blogs.gentoo.org/ago/2015/07/16/libav-divide-by-zero-in-ff_h263_decode_mba/">
+ <p>libav: divide-by-zero in ff_h263_decode_mba()</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blogs.gentoo.org/ago/2015/07/16/libav-divide-by-zero-in-ff_h263_decode_mba/</url>
+ <url>https://git.libav.org/?p=libav.git;a=commitdiff;h=0a49a62f998747cfa564d98d36a459fe70d3299b;hp=6f4cd33efb5a9ec75db1677d5f7846c60337129f</url>
+ <cvename>CVE-2015-5479</cvename>
+ </references>
+ <dates>
+ <discovery>2015-06-21</discovery>
+ <entry>2015-07-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="44d9daee-940c-4179-86bb-6e3ffd617869">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>39.0,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>39.0,1</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <range><lt>2.36</lt></range>
+ </package>
+ <package>
+ <name>linux-seamonkey</name>
+ <range><lt>2.36</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>31.8.0,1</lt></range>
+ <range><ge>38.0,1</ge><lt>38.1.0,1</lt></range>
+ </package>
+ <package>
+ <name>libxul</name>
+ <range><lt>31.8.0</lt></range>
+ <range><ge>38.0</ge><lt>38.1.0</lt></range>
+ </package>
+ <package>
+ <name>thunderbird</name>
+ <range><lt>31.8.0</lt></range>
+ <range><ge>38.0</ge><lt>38.1.0</lt></range>
+ </package>
+ <package>
+ <name>linux-thunderbird</name>
+ <range><lt>31.8.0</lt></range>
+ <range><ge>38.0</ge><lt>38.1.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Mozilla Project reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
+ <p>MFSA 2015-59 Miscellaneous memory safety hazards (rv:39.0
+ / rv:31.8 / rv:38.1)</p>
+ <p>MFSA 2015-60 Local files or privileged URLs in pages can
+ be opened into new tabs</p>
+ <p>MFSA 2015-61 Type confusion in Indexed Database
+ Manager</p>
+ <p>MFSA 2015-62 Out-of-bound read while computing an
+ oscillator rendering range in Web Audio</p>
+ <p>MFSA 2015-63 Use-after-free in Content Policy due to
+ microtask execution error</p>
+ <p>MFSA 2015-64 ECDSA signature validation fails to handle
+ some signatures correctly</p>
+ <p>MFSA 2015-65 Use-after-free in workers while using
+ XMLHttpRequest</p>
+ <p>MFSA 2015-66 Vulnerabilities found through code
+ inspection</p>
+ <p>MFSA 2015-67 Key pinning is ignored when overridable
+ errors are encountered</p>
+ <p>MFSA 2015-68 OS X crash reports may contain entered key
+ press information</p>
+ <p>MFSA 2015-69 Privilege escalation through internal
+ workers</p>
+ <p>MFSA 2015-70 NSS accepts export-length DHE keys with
+ regular DHE cipher suites</p>
+ <p>MFSA 2015-71 NSS incorrectly permits skipping of
+ ServerKeyExchange</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-2721</cvename>
+ <cvename>CVE-2015-2722</cvename>
+ <cvename>CVE-2015-2724</cvename>
+ <cvename>CVE-2015-2725</cvename>
+ <cvename>CVE-2015-2726</cvename>
+ <cvename>CVE-2015-2727</cvename>
+ <cvename>CVE-2015-2728</cvename>
+ <cvename>CVE-2015-2729</cvename>
+ <cvename>CVE-2015-2730</cvename>
+ <cvename>CVE-2015-2731</cvename>
+ <cvename>CVE-2015-2733</cvename>
+ <cvename>CVE-2015-2734</cvename>
+ <cvename>CVE-2015-2735</cvename>
+ <cvename>CVE-2015-2736</cvename>
+ <cvename>CVE-2015-2737</cvename>
+ <cvename>CVE-2015-2738</cvename>
+ <cvename>CVE-2015-2739</cvename>
+ <cvename>CVE-2015-2740</cvename>
+ <cvename>CVE-2015-2741</cvename>
+ <cvename>CVE-2015-2742</cvename>
+ <cvename>CVE-2015-2743</cvename>
+ <cvename>CVE-2015-4000</cvename>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-59/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-60/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-61/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-62/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-63/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-64/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-65/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-66/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-67/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-68/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-69/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-70/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-71/</url>
+ </references>
+ <dates>
+ <discovery>2015-07-02</discovery>
+ <entry>2015-07-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d3216606-2b47-11e5-a668-080027ef73ec">
+ <topic>PolarSSL -- Security Fix Backports</topic>
+ <affects>
+ <package>
+ <name>polarssl</name>
+ <range><lt>1.2.14</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Paul Bakker reports:</p>
+ <blockquote cite="https://tls.mbed.org/tech-updates/releases/polarssl-1.2.14-released">
+ <p>PolarSSL 1.2.14 fixes one remotely-triggerable issues that was
+ found by the Codenomicon Defensics tool, one potential remote crash
+ and countermeasures against the "Lucky 13 strikes back" cache-based
+ attack.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://tls.mbed.org/tech-updates/releases/polarssl-1.2.14-released</url>
+ </references>
+ <dates>
+ <discovery>2015-06-26</discovery>
+ <entry>2015-07-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ca139c7f-2a8c-11e5-a4a5-002590263bf5">
+ <topic>libwmf -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libwmf</name>
+ <range><lt>0.2.8.4_14</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mitre reports:</p>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941">
+ <p>Multiple buffer overflows in the gd graphics library (libgd) 2.0.21
+ and earlier may allow remote attackers to execute arbitrary code via
+ malformed image files that trigger the overflows due to improper
+ calls to the gdMalloc function, a different set of vulnerabilities
+ than CVE-2004-0990.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455">
+ <p>Buffer overflow in the gdImageStringFTEx function in gdft.c in GD
+ Graphics Library 2.0.33 and earlier allows remote attackers to cause
+ a denial of service (application crash) and possibly execute
+ arbitrary code via a crafted string with a JIS encoded font.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756">
+ <p>The gdPngReadData function in libgd 2.0.34 allows user-assisted
+ attackers to cause a denial of service (CPU consumption) via a
+ crafted PNG image with truncated data, which causes an infinite loop
+ in the png_read_info function in libpng.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472">
+ <p>Integer overflow in gdImageCreateTrueColor function in the GD
+ Graphics Library (libgd) before 2.0.35 allows user-assisted remote
+ attackers to have unspecified attack vectors and impact.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473">
+ <p>The gdImageCreateXbm function in the GD Graphics Library (libgd)
+ before 2.0.35 allows user-assisted remote attackers to cause a
+ denial of service (crash) via unspecified vectors involving a
+ gdImageCreate failure.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477">
+ <p>The (a) imagearc and (b) imagefilledarc functions in GD Graphics
+ Library (libgd) before 2.0.35 allow attackers to cause a denial of
+ service (CPU consumption) via a large (1) start or (2) end angle
+ degree value.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546">
+ <p>The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before
+ 5.3.1, and the GD Graphics Library 2.x, does not properly verify a
+ certain colorsTotal structure member, which might allow remote
+ attackers to conduct buffer overflow or buffer over-read attacks via
+ a crafted GD file, a different vulnerability than CVE-2009-3293.
+ NOTE: some of these details are obtained from third party
+ information.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848">
+ <p>Heap-based buffer overflow in libwmf 0.2.8.4 allows remote
+ attackers to cause a denial of service (crash) or possibly execute
+ arbitrary code via a crafted BMP image.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695">
+ <p>meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial
+ of service (out-of-bounds read) via a crafted WMF file.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696">
+ <p>Use-after-free vulnerability in libwmf 0.2.8.4 allows remote
+ attackers to cause a denial of service (crash) via a crafted WMF
+ file to the (1) wmf2gd or (2) wmf2eps command.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588">
+ <p>Heap-based buffer overflow in the DecodeImage function in libwmf
+ 0.2.8.4 allows remote attackers to cause a denial of service (crash)
+ or possibly execute arbitrary code via a crafted "run-length count"
+ in an image in a WMF file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <bid>11663</bid>
+ <bid>22289</bid>
+ <bid>24089</bid>
+ <bid>24651</bid>
+ <bid>36712</bid>
+ <freebsdpr>ports/201513</freebsdpr>
+ <cvename>CVE-2004-0941</cvename>
+ <cvename>CVE-2007-0455</cvename>
+ <cvename>CVE-2007-2756</cvename>
+ <cvename>CVE-2007-3472</cvename>
+ <cvename>CVE-2007-3473</cvename>
+ <cvename>CVE-2007-3477</cvename>
+ <cvename>CVE-2009-3546</cvename>
+ <cvename>CVE-2015-0848</cvename>
+ <cvename>CVE-2015-4695</cvename>
+ <cvename>CVE-2015-4696</cvename>
+ <cvename>CVE-2015-4588</cvename>
+ </references>
+ <dates>
+ <discovery>2004-10-12</discovery>
+ <entry>2015-07-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a12494c1-2af4-11e5-86ff-14dae9d210b8">
+ <topic>apache24 -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>apache24</name>
+ <range><lt>2.4.16</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jim Jagielski reports:</p>
+ <blockquote cite="https://mail-archives.apache.org/mod_mbox/www-announce/201507.mbox/%3CAA5C882C-A9C3-46B9-9320-5040A2152E83@apache.org%3E">
+ <p>CVE-2015-3183 (cve.mitre.org)
+ core: Fix chunk header parsing defect.
+ Remove apr_brigade_flatten(), buffering and duplicated code from
+ the HTTP_IN filter, parse chunks in a single pass with zero copy.
+ Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
+ authorized characters.</p>
+ <p>CVE-2015-3185 (cve.mitre.org)
+ Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
+ with new ap_some_authn_required and ap_force_authn hook.</p>
+ <p>CVE-2015-0253 (cve.mitre.org)
+ core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
+ with the INCLUDES filter active, introduced in 2.4.11. PR 57531.</p>
+ <p>CVE-2015-0228 (cve.mitre.org)
+ mod_lua: A maliciously crafted websockets PING after a script
+ calls r:wsupgrade() can cause a child process crash.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <mlist>https://mail-archives.apache.org/mod_mbox/www-announce/201507.mbox/%3CAA5C882C-A9C3-46B9-9320-5040A2152E83@apache.org%3E</mlist>
+ <cvename>CVE-2015-3183</cvename>
+ <cvename>CVE-2015-3185</cvename>
+ <cvename>CVE-2015-0253</cvename>
+ <cvename>CVE-2015-0228</cvename>
+ </references>
+ <dates>
+ <discovery>2015-02-04</discovery>
+ <entry>2015-07-15</entry>
+ </dates>
+ </vuln>
+
<vuln vid="8d2d6bbd-2a02-11e5-a0af-bcaec565249c">
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
- <range><ge>0</ge></range>
+ <range><lt>11.2r202.491</lt></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
- <range><ge>0</ge></range>
+ <range><lt>11.2r202.491</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
- <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsa15-18.html">
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-18.html">
<p>Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have
been identified. Successful exploitation could cause a crash
and potentially allow an attacker to take control of the
@@ -85,12 +1142,12 @@
<references>
<cvename>CVE-2015-5122</cvename>
<cvename>CVE-2015-5123</cvename>
- <url>https://helpx.adobe.com/security/products/flash-player/apsa15-18.html</url>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb15-18.html</url>
</references>
<dates>
<discovery>2015-07-10</discovery>
<entry>2015-07-14</entry>
- <modified>2015-07-15</modified>
+ <modified>2015-07-16</modified>
</dates>
</vuln>
@@ -214,20 +1271,11 @@
<range><lt>5.4.43</lt></range>
</package>
<package>
- <name>mariadb-server</name>
- <name>mysql51-server</name>
- <name>mysql55-server</name>
- <name>mysql56-server</name>
- <name>percona55-server</name>
- <name>percona56-server</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>mariadb55</name>
+ <name>mariadb55-client</name>
<range><lt>5.5.44</lt></range>
</package>
<package>
- <name>mariadb10</name>
+ <name>mariadb100-client</name>
<range><lt>10.0.20</lt></range>
</package>
</affects>
@@ -253,6 +1301,7 @@
<dates>
<discovery>2015-03-20</discovery>
<entry>2015-07-13</entry>
+ <modified>2015-07-18</modified>
</dates>
</vuln>
@@ -289,6 +1338,7 @@
</body>
</description>
<references>
+ <cvename>CVE-2015-5607</cvename>
<url>http://seclists.org/oss-sec/2015/q3/92</url>
<url>http://ipython.org/ipython-doc/3/whatsnew/version3.html#ipython-3-2-1</url>
</references>
@@ -295,6 +1345,7 @@
<dates>
<discovery>2015-07-12</discovery>
<entry>2015-07-13</entry>
+ <modified>2015-07-22</modified>
</dates>
</vuln>
@@ -1368,11 +2419,12 @@
</description>
<references>
<url>http://www.squid-cache.org/Advisories/SQUID-2015_2.txt</url>
+ <cvename>CVE-2015-5400</cvename>
</references>
<dates>
<discovery>2015-07-06</discovery>
<entry>2015-07-06</entry>
- <modified>2015-07-10</modified>
+ <modified>2015-07-17</modified>
</dates>
</vuln>
@@ -1741,6 +2793,14 @@
<name>libxml2</name>
<range><lt>2.9.2_3</lt></range>
</package>
+ <package>
+ <name>linux-c6-libxml2</name>
+ <range><ge>*</ge></range>
+ </package>
+ <package>
+ <name>linux-f10-libxml2</name>
+ <range><ge>*</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -1761,6 +2821,7 @@
<dates>
<discovery>2015-04-14</discovery>
<entry>2015-07-01</entry>
+ <modified>2015-07-15</modified>
</dates>
</vuln>
@@ -2507,7 +3568,7 @@
<affects>
<package>
<name>chicken</name>
- <range><lt>4.10.0,1</lt></range>
+ <range><lt>4.10.0.r2,1</lt></range>
</package>
</affects>
<description>
@@ -2528,11 +3589,12 @@
<freebsdpr>ports/200980</freebsdpr>
<mlist>http://lists.nongnu.org/archive/html/chicken-announce/2015-06/msg00010.html</mlist>
<mlist>http://lists.nongnu.org/archive/html/chicken-hackers/2015-06/msg00037.html</mlist>
+ <mlist>http://lists.nongnu.org/archive/html/chicken-announce/2015-07/msg00001.html</mlist>
</references>
<dates>
<discovery>2015-06-15</discovery>
<entry>2015-06-22</entry>
- <modified>2015-06-23</modified>
+ <modified>2015-07-31</modified>
</dates>
</vuln>
@@ -3392,10 +4454,14 @@
<references>
<url>https://github.com/htacg/tidy-html5/issues/217</url>
<url>http://seclists.org/oss-sec/2015/q2/633</url>
+ <url>http://seclists.org/oss-sec/2015/q3/116</url>
+ <cvename>CVE-2015-5522</cvename>
+ <cvename>CVE-2015-5523</cvename>
</references>
<dates>
<discovery>2015-06-03</discovery>
<entry>2015-06-08</entry>
+ <modified>2015-07-15</modified>
</dates>
</vuln>
@@ -9794,6 +10860,10 @@
<name>flac</name>
<range><lt>1.3.0_3</lt></range>
</package>
+ <package>
+ <name>linux-c6-flac</name>
+ <range><lt>1.2.1_3</lt></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -9817,6 +10887,7 @@
<dates>
<discovery>2014-11-25</discovery>
<entry>2014-11-25</entry>
+ <modified>2015-07-15</modified>
</dates>
</vuln>
@@ -10465,6 +11536,14 @@
<name>libxml2</name>
<range><lt>2.9.2</lt></range>
</package>
+ <package>
+ <name>linux-c6-libxml2</name>
+ <range><lt>2.7.6_2</lt></range>
+ </package>
+ <package>
+ <name>linux-f10-libxml2</name>
+ <range><ge>*</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -10488,6 +11567,7 @@
<dates>
<discovery>2014-10-16</discovery>
<entry>2014-10-18</entry>
+ <modified>2015-07-15</modified>
</dates>
</vuln>
@@ -13678,8 +14758,16 @@
<affects>
<package>
<name>libxml2</name>
- <range><le>2.8.0_5</le></range>
+ <range><lt>2.9.1</lt></range>
</package>
+ <package>
+ <name>linux-c6-libxml2</name>
+ <range><lt>2.7.6_2</lt></range>
+ </package>
+ <package>
+ <name>linux-f10-libxml2</name>
+ <range><ge>*</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -13702,6 +14790,7 @@
<dates>
<discovery>2013-04-11</discovery>
<entry>2013-07-10</entry>
+ <modified>2015-07-15</modified>
</dates>
</vuln>
@@ -13710,8 +14799,16 @@
<affects>
<package>
<name>libxml2</name>
- <range><le>2.8.0_5</le></range>
+ <range><lt>2.9.1</lt></range>
</package>
+ <package>
+ <name>linux-c6-libxml2</name>
+ <range><lt>2.7.6_2</lt></range>
+ </package>
+ <package>
+ <name>linux-f10-libxml2</name>
+ <range><ge>*</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -13738,6 +14835,7 @@
<dates>
<discovery>2013-12-03</discovery>
<entry>2014-05-06</entry>
+ <modified>2015-07-15</modified>
</dates>
</vuln>
More information about the Midnightbsd-cvs
mailing list