[Midnightbsd-cvs] mports [19694] trunk/security/vuxml/vuln.xml: update list
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sun Aug 9 14:46:25 EDT 2015
Revision: 19694
http://svnweb.midnightbsd.org/mports/?rev=19694
Author: laffer1
Date: 2015-08-09 14:46:24 -0400 (Sun, 09 Aug 2015)
Log Message:
-----------
update list
Modified Paths:
--------------
trunk/security/vuxml/vuln.xml
Modified: trunk/security/vuxml/vuln.xml
===================================================================
--- trunk/security/vuxml/vuln.xml 2015-08-09 18:44:26 UTC (rev 19693)
+++ trunk/security/vuxml/vuln.xml 2015-08-09 18:46:24 UTC (rev 19694)
@@ -58,6 +58,205 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="8eee06d4-c21d-4f07-a669-455151ff426f">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>39.0.3,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>39.0.3,1</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>38.1.1,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Mozilla Project reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
+ <p>MFSA 2015-78 Same origin violation and local file
+ stealing via PDF reader</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-4495</cvename>
+ <url>https://www.mozilla.org/security/advisories/mfsa2015-78/</url>
+ </references>
+ <dates>
+ <discovery>2015-08-06</discovery>
+ <entry>2015-08-07</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ac5ec8e3-3c6c-11e5-b921-00a0986f28c4">
+ <topic>wordpress -- Multiple vulnerability</topic>
+ <affects>
+ <package>
+ <name>wordpress</name>
+ <range><lt>4.2.4,1</lt></range>
+ </package>
+ <package>
+ <name>de-wordpress</name>
+ <name>ja-wordpress</name>
+ <name>ru-wordpress</name>
+ <name>zh-wordpress-zh_CH</name>
+ <name>zh-wordpress-zh_TW</name>
+ <range><lt>4.2.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gary Pendergast reports:</p>
+ <blockquote cite="https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/">
+ <p>WordPress 4.2.4 fixes three cross-site scripting vulnerabilities
+ and a potential SQL injection that could be used to compromise a
+ site.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/</url>
+ <cvename>CVE-2015-2213</cvename>
+ </references>
+ <dates>
+ <discovery>2015-08-04</discovery>
+ <entry>2015-08-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="57bb5e3d-3c4f-11e5-a4d4-001e8c75030d">
+ <topic>subversion -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>subversion</name>
+ <range><ge>1.8.0</ge><lt>1.8.14</lt></range>
+ <range><ge>1.7.0</ge><lt>1.7.21</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Subversion reports:</p>
+ <blockquote cite="http://svn.haxx.se/dev/archive-2015-08/0024.shtml">
+ <p>CVE-2015-3184:<br/>
+ Subversion's mod_authz_svn does not properly restrict anonymous access
+ in some mixed anonymous/authenticated environments when
+ using Apache httpd 2.4.</p>
+ <p>CVE-2015-3187:<br/>
+ Subversion servers, both httpd and svnserve, will reveal some
+ paths that should be hidden by path-based authz.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-3184</cvename>
+ <url>http://subversion.apache.org/security/CVE-2015-3184-advisory.txt</url>
+ <cvename>CVE-2015-3187</cvename>
+ <url>http://subversion.apache.org/security/CVE-2015-3187-advisory.txt</url>
+ </references>
+ <dates>
+ <discovery>2015-07-27</discovery>
+ <entry>2015-08-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ae8c09cb-32da-11e5-a4a5-002590263bf5">
+ <topic>elasticsearch -- directory traversal attack via snapshot API</topic>
+ <affects>
+ <package>
+ <name>elasticsearch</name>
+ <range><ge>1.0.0</ge><lt>1.6.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Elastic reports:</p>
+ <blockquote cite="https://www.elastic.co/community/security">
+ <p>Vulnerability Summary: Elasticsearch versions from 1.0.0 to 1.6.0
+ are vulnerable to a directory traversal attack.</p>
+ <p>Remediation Summary: Users should upgrade to 1.6.1 or later, or
+ constrain access to the snapshot API to trusted sources.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-5531</cvename>
+ <freebsdpr>ports/201834</freebsdpr>
+ <url>https://www.elastic.co/community/security</url>
+ </references>
+ <dates>
+ <discovery>2015-07-16</discovery>
+ <entry>2015-08-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="fb3668df-32d7-11e5-a4a5-002590263bf5">
+ <topic>elasticsearch -- remote code execution via transport protocol</topic>
+ <affects>
+ <package>
+ <name>elasticsearch</name>
+ <range><lt>1.6.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Elastic reports:</p>
+ <blockquote cite="https://www.elastic.co/community/security">
+ <p>Vulnerability Summary: Elasticsearch versions prior to 1.6.1 are
+ vulnerable to an attack that can result in remote code execution.</p>
+ <p>Remediation Summary: Users should upgrade to 1.6.1 or 1.7.0.
+ Alternately, ensure that only trusted applications have access to
+ the transport protocol port.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-5377</cvename>
+ <freebsdpr>ports/201834</freebsdpr>
+ <url>https://www.elastic.co/community/security</url>
+ </references>
+ <dates>
+ <discovery>2015-07-16</discovery>
+ <entry>2015-08-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="da451130-365d-11e5-a4a5-002590263bf5">
+ <topic>xen-tools -- QEMU heap overflow flaw with certain ATAPI commands</topic>
+ <affects>
+ <package>
+ <name>xen-tools</name>
+ <range><lt>4.5.0_9</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-138.html">
+ <p>A heap overflow flaw was found in the way QEMU's IDE subsystem
+ handled I/O buffer access while processing certain ATAPI
+ commands.</p>
+ <p>A privileged guest user in a guest with CDROM drive enabled could
+ potentially use this flaw to execute arbitrary code on the host
+ with the privileges of the host's QEMU process corresponding to
+ the guest.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-5154</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-138.html</url>
+ </references>
+ <dates>
+ <discovery>2015-07-27</discovery>
+ <entry>2015-08-04</entry>
+ </dates>
+ </vuln>
+
<vuln vid="4622635f-37a1-11e5-9970-14dae9d210b8">
<topic>net-snmp -- snmptrapd crash</topic>
<affects>
@@ -421,7 +620,7 @@
<affects>
<package>
<name>libidn</name>
- <range><lt>1.3.1</lt></range>
+ <range><lt>1.31</lt></range>
</package>
</affects>
<description>
@@ -442,6 +641,7 @@
<dates>
<discovery>2015-02-09</discovery>
<entry>2015-07-23</entry>
+ <modified>2015-08-03</modified>
</dates>
</vuln>
More information about the Midnightbsd-cvs
mailing list