Univention Bugzilla – Bug 25434
Security issues which don't affect UCS
Last modified: 2019-04-11 19:24:15 CEST
Diese Sicherheitslücken betreffen UCS nicht, z.B. weil die betroffene Sicherheitslücke nur die Windows-Portierung betrifft.
Hier werden auch Sicherheitslücken gesammelt, die nur aktuellere Versionen einer Software betreffen als in den supporteten UCS- und UCD-Releases. Kernel/CVE-2011-4604: Support für batman-adv wurde erst mit 2.6.38 in den Kernel integriert.
Firefox: CVE-2011-3666 -> Die Lücke ist MacOS-spezifisch. Firefox: CVE-2011-3664 -> Die Lücke ist MacOS-spezifisch.
openjdk-6: CVE-2011-3558 -> Die Lücke betrifft nur aktuellere HotSpot-Versionen.
Kernel: CVE-2011-4594 -> Die Lücke wurde im 3.1-Entwicklungs-Zyklus eingeführt und vor dem finalen 3.1-Release behoben.
eglibc: CVE-2010-4756: Die glibc implementiert hier ein Standard-POSIX-glob(). Das stellt für sich keine Sicherheitslücke da. Wenn Applikationen Globbing unterstützen, müssen entsprechende Limits in den aufrufenden Applikationen gesetzt werden.
update-manager: CVE-2011-3154 CVE-2011-3152 CVE-2011-3150 Diese Lücken sind Ubuntu-spezifisch.
php5: CVE-2011-1467: Diese Lücke ist nur durch ein manipuliertes PHP-Skript ausnutzbar und durch die PHP Security Policy nicht abgedeckt.
ghostscript/CVE-2010-4054: Das führt nur zu einem Crash durch eine NULL-Pointer-Dereferenzierung, nicht sicherheitsrelevant.
openssl/CVE-2012-0027: Die GOST-Engine wurde erst später eingeführt (in 1.0.x)
commons-daemon/CVE-2011-2729: Die Versionen in UCS 2.4 und 3.0 sind noch nicht gegen libcap gebaut.
openssl/CVE-2011-4577: Support für RFC 3779 ist im Debian-Build nicht aktiviert.
torque: CVE-2011-4925 -> Der betroffene Code ist in der Version aus 3.0 noch nicht enthalten.
GnuTLS/CVE-2012-0390: DTLS-Support ist in den GNUTLS-Versionen aus UCS 2.4 und 3.0 noch nicht enthalten.
Network Manager/CVE-2011-3364: Diese Lücke betrifft ein Red Hat-spezifisches Plugin.
CVE-2012-0064: Diese Lücke betrifft nur aktuelle Xorg-Versionen, die Versionen aus 3.0 und 2.4 sind nicht betroffen.
Linux/CVE-2012-0056: Der betroffene Code wurde erst in 2.6.39 eingeführt.
Linux/CVE-2012-0207: Der betroffene Code wurde erst in 2.6.36 eingeführt.
Linux/CVE-2012-0058: Der betroffene Code wurde erst in 3.2 eingeführt. isc-dhcp/CVE-2011-4868: Nur 4.2.x ist betroffen. network-manager-applet/CVE-2011-3364: Diese Lücke betrifft nur ein Red Hat-Plugin, das im Debian-Build nicht aktiviert ist.
usbmuxd/CVE-2012-0065: Der betroffene Code ist noch nicht enthalten.
sudo/CVE-2012-0809: Der betroffene Code ist in 2.4 und 3.0 nicht enthalten.
Apache/CVE-2011-0021: Diese Lücke wurde erst in 2.2.17 eingeführt und ist in den Apache-Versionen aus 2.4 und 3.0 noch nicht enthalten.
xchat/CVE-2012-0828: Diese Lücke betrifft nur Windows
libvpx/CVE-2012-0823: Die Lücke wurde erst in 0.9.7 eingeführt, die Version in 3.0 ist älter.
CVE-2012-0830: Diese Lücke wurde erst durch einen fehlerhaften Security-Fix für CVE-2011-4885 eingeführt. Dieser wurde in UCS nicht releast und betrifft uns somit nicht.
Kernel/CVE-2011-3637: Die Lücke wurde in 2.6.39 eingeführt.
openswan/CVE-2011-2147: Diese Lücke betrifft die Debian-Pakete nicht.
CVE-2012-1033 aka "Ghost Domains" beschreibt eine generelle DNS-Protokollschwäche, durch die Gültigkeitsdauer-Beschränkungen der TTL ausgehebelt werden können. Änderungen an BIND sind nocht geplant, es handelt sich um eine generelle Protokollschwäche: https://www.isc.org/software/bind/advisories/cve-2012-1033
CVE-2011-5054: kcheckpass übergibt einen von Benutzer kontrollierbaren Parameter an pam_start(), der es ermöglicht einen anderen PAM-Stack zu verwenden. In Verbindung mit OpenPAM erlaubt das einen root-Exploit, in UCS wird es aber nicht mitgeliefert,
mysql-5.1: CVE-2012-0496 CVE-2012-0486 CVE-2012-0487 CVE-2012-0488 CVE-2012-0489 CVE-2012-0491 CVE-2012-0495 CVE-2012-0117 CVE-2012-0493 Diese Lüclen betreffen nur MySQL 5.5, das in UCS noch nicht enthalten ist.
Firefox: CVE-2012-0452 Diese CVE ist für eine Regression, die in Firefox 10 eingeführt wurde.
Horde/CVE-2012-0209: Auf dem Horde-Webserver wurden Release-Tarballs mit einer Backdoor versehen. Wir haben keinen dieser kompromittierten Tarballs importiert.
Java/CVE-2012-0508: Diese Lücke ist Teil von JavaFX, das in OpenJDK nicht enthalten ist. Java/CVE-2012-0504: Diese Lücke betrifft nur den Windows-spezifischen Update-Mechanismus
libpng/CVE-2011-3328: Diese Lücke betrifft nur libpng 1.5, die in UCS nicht enthalten ist.
dhcpcd/CVE-2011-0996: Die Version aus UCS 3.0 ist nicht betroffen.
samba/CVE-2012-0870: Diese Lücke betrifft nur Samba <= 3.3
CVE-2012-0875: Der betroffene Code ist in der Version aus UCS 3.0 noch nicht enthalten.
Kernel/CVE-2011-4348: Diese Lücke wurde durch einen unvollständigen RHEL5-Backport verursacht. Kernel/CVE-2011-3593: Diese Lücke wurde durch einen fehlerhaften RHEL6-Backport verursacht. apt/CVE-2012-0214: Der betroffene Code für die Verarbeitung von InRelease-Dateien wurde erst später eingefügt und ist in den Versionen aus UCS 2.4 und 3.0 noch nicht vorhanden.
Kernel/CVE-2012-1146: Der betroffene Code wurde erst in 2.6.34 eingeführt.
glassfish/CVE-2011-3564: Die betroffene Komponente ist im Debian-Paket nicht enthalten.
linux-2.6.32/CVE-2011-1573: Diese CVE-ID wurde erst vor kurzem gewiesen: In den Kernel-Paketen aus 2.4 und 3.0 ist sie bereits korrigiert, da der Commit a8170c35e738d62e9919ce5b109cf4ed66e95bde durch den LTS-Kernel 2.6.32.37 integriert wurde.
ldm/CVE-2012-1166: Der betroffene Code ist in UCS 3.0 noch nicht enthalten.
Firefox/CVE-2012-0454: Diese Lücke betrifft nur Firefox unter Windows. Firefox/CVE-2012-0463: Diese Lücke betrifft nur Firefox Mobile unter Android.
piggin: CVE-2011-4940: Der betroffene Code wurde erst in 2.9 eingeführt. systemtap: CVE-2012-0875: Der betroffene Code ist noch nicht vorhanden.
Kernel/CVE-2012-1568: Die Lücke/der ExecShield-Patch ist Red Hat-spezifisch.
Apache/CVE-2012-0883: LD_LIBRARY_PATH ist in den Debian-Paketen nicht gesetzt.
aptdaemon/CVE-2012-0944: Der betroffene Code ist in der Version aus UCS 3.0 nicht enthalten.
Kernel/CVE-2011-0463: Diese Lücke ist in 2.4 und 3.0 bereits korrigiert, da sie in das 2.6.32.34-Update eingeflossen ist, da in die letzten Updates integriert wurde.
libphp-adodb/CVE-2011-3699: Die Pfade sind ohnehin durch die Paketierung bekannt.
iproute/CVE-2012-1088: Die erste Lücke lässt sich nur zur Build-Zeit des Pakets ausnutzen und die zweite ist nur ein Beispiel-Skript, das in iproute-doc ausgeliefert wird.
moodle: CVE-2012-1170 CVE-2012-1169 CVE-2012-1168 CVE-2012-1167 CVE-2012-1161 CVE-2012-1160 CVE-2012-1159 CVE-2012-1158 CVE-2012-1157 CVE-2012-1156 Alle diese Lücken betreffen aktuellere Versionen von Moodle als in 3.0/Squeeze.
puppet: CVE-2012-1989 -> Der betroffene Code ist in der Version aus Squeeze/UCS 3.0 noch nicht enthalten.
nginx: CVE-2012-2089: Der betroffene Code ist in der Version aus 3.0 noch nicht enthalten.
kbd/CVE-2011-0460: Die Lücke ist SuSE-spezifisch.
Policykit/CVE-2011-4945: Der betroffene Code ist in den Versionen aus 2.4 und 3.0 noch nicht enthalten.
Perl/CVE-2011-2728: Dies ist ein normaler Bug, keine Sicherheitslücke. Die Globbing-Flags können nur aus dem Skript heraus manipuliert werden.
CVE-2011-2523: Die betroffene vsftpd-Version der Backdoor war nie in UCS/Debian enthalten.
asterisk/CVE-2012-2416: Der betroffene Code ist in der Version aus UCS 3.0 noch nicht enthalten. squirrelmail/CVE-2012-2124: Dieser Fehler ist RHEL-spezifisch.
GNU TLS/CVE-2012-1663: Diese Lücke betrifft nur GNU TLS 3.0
Firefox: CVE-2012-0468: Diese Lücken betreffen nur Firefox 11. Firefox: CVE-2012-1126, CVE-2012-1127, CVE-2012-1128, CVE-2012-1129, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1133, CVE-2012-1134, CVE-2012-1135, CVE-2012-1136, CVE-2012-1137, CVE-2012-1138, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1142, CVE-2012-1143, CVE-2012-1144 Diese Lücken betreffen nur Firefox Mobile, in UCS wird die Systembibliothek von Freetype verwendet (für die es schon Updates/Bugs gibts). Firefox: CVE-2012-0472: Diese Lücke ist Windows-spezifisch.
Kernel/CVE-2012-2127: Diese Lücke wurde in 3.1 eingeführt und in 3.2 korrigiert, es ist also kein UCS-Kernel betroffen.
krb5/CVE-2012-1012: Der betroffene Code wurde erst in Version 1.10 eingeführt. xscreensaver/CVE-2011-2187: Der betroffene Code wurde erst in Version 5.13 eingeführt.
mono: CVE-2011-0989, CVE-2011-0990, CVE-2011-0991, CVE-2011-0992: Diese Lücken betreffen nur Mono in Kombination mit Moonlight, das nicht enthalten ist.
libarchive: CVE-2010-4666 CVE-2011-1779: Der betroffene Code ist in der Version aus 3.0 noch nicht enthalten.
libvirt/CVE-2011-4600: Diese Lücke betrifft nur sehr spezielle Setups, die umfassende Konfigurations-Anpassung an UVMM vorbei erfordern. Außerdem sind die Auswirkungen der Lücke nur gering. Es ist daher keine Korrektur vor UCS 3.1 geplant.
munin: CVE-2012-2103 CVE-2012-2104: Der betroffene Code ist noch nicht vorhanden.
munin/CVE-2012-2147: Der betroffene Code ist in der Version aus UCS 3.0 nicht enthalten.
php5: CVE-2012-2329 -> Die Lücke betrifft nur PHP 5.4.x
Kernel/CVE-2012-0810: Das rt-Patchset in in den Kernel-Versionen aus 2.4 und 3.0 nicht enthalten. pure-ftpd/CVE-2011-0988: Die Lücke ist SuSE-spezifisch.
CVE-2012-1499: Der betroffene Code ist in der Version aus UCS 3.0 noch nicht enthalten.
php5: CVE-2012-2376 -> Die Lücke ist Windows-spezifisch.
polarssl/CVE-2012-2130: Der betroffene Code ist in der Version aus UCS 3.0 nicht enthalten.
moodle: CVE-2012-2366, CVE-2012-2365, CVE-2012-2364 CVE-2012-2361 CVE-2012-2360 CVE-2012-2359 CVE-2012-2358 CVE-2012-2357 CVE-2012-2356 CVE-2012-2355 CVE-2012-2354 CVE-2012-2353 -> Der betroffene Code ist noch nicht enthalten.
Kernel: CVE-2012-2383/CVE-2012-2384: Der betroffene Code wurde erst mir 2.6.38, bzw. 2.6.39 eingeführt.
hostapd/wpa: CVE-2012-2389 -> Die Lücke betrifft nur RedHat und SLES.
unixodbc: CVE-2012-2657, CVE-2012-2658: Hier wurde zwar eine CVE-ID zugewiesen, es handelt sich aber um keine Sicherheitslücken, die Eingaben, die den Bufferoverflow auslösen aus vertrauenswürdiger Quelle stammen.
wireshark: CVE-2012-2392 CVE-2012-2393 CVE-2012-2394 Diese Lücken erlauben kein Ausführen von Schadcode und werden in Debian (und auch in UCS) nicht als Sicherheitslücken behandelt, siehe README.Debian.security)
update-manager: CVE-2012-0948 CVE-2012-0949 -> Diese Lücken sind Ubuntu-spezifisch. CVE-2012-2661: Die Version aus UCS 3.0 ist nicht betroffen.
Firefox: CVE-2012-1938 Diese Lücken betreffen nur Firefox 11 oder 12, nicht aber die ESR-Serie. Firefox: CVE-2012-1942 CVE-2012-1943 -> Diese Lücken sind Windows-spezifisch.
MySQL: CVE-2012-2122: Diese Lücke betrifft nur die SSE4-optimierte Version der glibc. In den Versionen aus UCS 2.4 und 3.0 ist das in der glibc/eglibc noch nicht der Fall.
OpenLDAP : CVE-2012-2668 -> Diese Lücke betrifft nur das NSS-Kryptobackend, das in UCS/Debian nicht verwendet wird.
Linux-Kernel/CVE-2012-2669: Der betroffene Code ist in den 2.6.32-Kerneln aus UCS noch nicht enthalten.
jbossas4: CVE-2012-1167 CVE-2012-2377 CVE-2012-2148 Die Version aus UCS 3.0 enthält nur einige Basis-Klassenbibliotheken und ist nicht betroffen.
asterisk: CVE-2012-3553 -> Der betroffene Code ist noch nicht vorhanden.
CVE-2012-1410/kadu: Der betroffene Code ist in der Version aus UCS 3.0 noch nicht enthalten. CVE-2012-0838/Struts: libstruts1.2-java ist nicht betroffen, das gilt nur für Struts 2.
Kernel: CVE-2012-3364: Der betroffene Code ist im 2.6.32 Kernel aus UCS 2.4 und 3.0 und im 2.6.18 Kernel aus 2.4 noch nicht enthalten.
wireshark: CVE-2012-3825 CVE-2012-3826 -> Der betroffene Code ist in den Versionen aus 2.4 und 3.0 noch nicht enthalten.
ffmpeg: CVE-2012-0847 CVE-2012-0849 CVE-2012-0850 CVE-2012-0854 CVE-2012-0855 CVE-2012-0856 CVE-2012-0857 Diese Lücken betreffen nur ffmpeg-Versionan nach 0.5.x (die Version aus UCS 3.0).
apt: CVE-2012-3587 und CVE-2012-0954: Der net-update-Befehl von apt-key ist nur in Ubuntu verfügbar, in Debian (und UCS ist er zwar im Source-Code vorhanden, aber deaktiviert: man apt-key auf einem sid (in UCS 3.0 fehlt der Eintrag in der Manpage noch): net-update funktioniert ähnlich dem vorhergehenden Befehl update, bezieht aber den Archivschlüsselbund stattdessen von einer URI und bestätigt ihn anhand eines Master-Schlüssels. Dies erfordert ein installiertes wget(1) und einen derart gebauten APT, bei dem ein Server konfiguriert ist, um den Master-Schlüsselbund zur Bestätigung abzuholen. APT unterstützt in Debian diesen Befehl nicht und beruht stattdessen auf update, in Ubuntu funktioniert dies aber.
nginx: CVE-2012-3380 -> Der betroffene Code ist in der Version aus UCS 3.0 noch nicht enthalten.
Firefox: CVE-2012-1949 Diese Lücken betreffen nur Firefox-Releases > Version 10.
moodle: CVE-2012-3387 CVE-2012-3388 CVE-2012-3389 CVE-2012-3390 CVE-2012-3391 CVE-2012-3392 CVE-2012-3393 CVE-2012-3394 CVE-2012-3395 CVE-2012-3396 CVE-2012-3397 -> Diese Lücken betreffen alle nur Versionen, die aktueller sind als die Version aus UCS 3.0
CVE-2012-2806: Diese Lücke betrifft eine performance-opimierte Variante von libjpeg (libjpeg-turbo), die in Debian/UCS nicht enthalten ist.
MySQL: CVE-2012-1735 CVE-2012-1757 CVE-2012-1756 Diese Lücken betreffen nur MySQL 5.5
CVE-2012-3413: Diese Lücke betrifft nur Versionen von kdepim >= 4.6. Die Versionen aus UCS 2.4, UCS 3.0 und UCD 3.1 verwenden noch kein webkit.
expat: CVE-2012-1147 Diese Lücke betrifft nur Windows.
bind9: CVE-2012-3868 Diese Lücke betrifft nur Bind 9.9
CVE-2012-3570: isc-dhcp Diese Lücke betrifft nur Version 4.2.x
php5: CVE-2012-3365: open_basedir() wird nach der Debian/UCD PHP Security Policy nicht unterstützt.
CVE-2011-3464: Diese Lücke betrifft nur libpng 1.5.x
bugzilla: CVE-2012-1968: Diese Lücke betrifft nur >= 4.1.x
CVE-2012-1699: xfs: Dies betrifft nur die Xfree-Releases, die Komponente aus xorg (und somit UCS 2.4 und 3.0) ist nicht betroffen.
rails: CVE-2012-3424 Diese Lücken betreffen nur 3.x, diese Versionen sind noch nicht in UCS 2.4 oder 3.0
wireshark: CVE-2012-4049 Der betroffene Code ist in den Version aus UCS 2.4 und 3.0 noch nicht enthalten.
icinga/CVE-2012-3441: Debian/UCS verwenden dbconfig, das die Datenbank mit korrekten Berechtigungen anlegt. Die Lücke betrifft in der Form nur SuSE.
CVE-2012-3452: Diese Lücke betrifft nur Version 3.4.2
nginx: CVE-2011-4963 -> Diese Lücke betrifft nur Windows.
rails: CVE-2012-3463 -> Diese Lücke betrifft nur Version 3.x
sudo/CVE-2012-3440: Die Lücke ist RHEL-spezifisch.
Wireshark: CVE-2012-4298 CVE-2012-4297 CVE-2012-4295 CVE-2012-4294 CVE-2012-4287 CVE-2012-4286 Diese Sicherheitslücken betreffen nur Version 1.6 oder höher.
gimp: CVE-2012-3402 -> Diese Lücke betrifft nur Gimp 2.2 CVE-2012-4245 -> Dafür wurde eine CVE-ID zugewiesen, aber das entsprechende Interface gibt keinerlei Sicherheitsgarantien oder ähnliches, von daher ist das auch keine Sicherheitslücke in der Praxis.
apache2: CVE-2012-3502 Diese Lücke betrifft nur Apache 2.4, das noch nicht in UCS 2.4 oder UCS 3.0 enthalten ist.
Kernel: CVE-2012-3520 -> Diese Lücke wurde erst in 3.1 eingeführt.
mesa: CVE-2012-2864 -> Support für GLSL-Shader ist in der Version aus UCS 2.4 / UCS 3.0 noch nicht enthalten.
Firefox: CVE-2012-3979 -> Diese Lücke betrifft nur den Android-Port CVE-2012-3975 -> Diese Lücke betrifft nur Firefox >= 10 CVE-2012-3974 -> Diese Lücke betrifft nur den Android-Port CVE-2012-3973 -> Diese Lücke betrifft nur Firefox >= 10 CVE-2012-3971 -> Diese Lücke betrifft nur Firefox >= 10 CVE-2012-3965 -> Diese Lücke betrifft nur Firefox >= 10 CVE-2012-1956 -> Diese Lücke betrifft nur Firefox >= 10 CVE-2012-1971 -> Diese Lücke betrifft nur Firefox >= 10
munin: CVE-2012-4678 -> Die Version in UCS 3.0 ist nicht betroffen.
CVE-2011-1772, CVE-2012-4386, CVE-2012-4387 Diese Lücken betreffen die Struts-Version in UCS 3.0 nicht, sondern nur Struts 2.x.
cakephp: CVE-2012-4399 -> Der betroffene Code ist in der Version aus UCS 3.0 noch nicht enthalten.
Xen/CVE-2012-3516 -> Diese Lücke betrifft nur Xen >= 4.2
Die CVE-IDs sind von 2010, wurden aber erst jüngst zugewiesen. Alle drei Lücken betreffen nur Windows: httrack: CVE-2010-5252 keepassx: CVE-2012-5200 CVE-2010-5196 ghostscript: CVE-2012-4875
tryton-server: CVE-2012-2238 -> Die Version in UCS 3.0 ist nicht betroffen.
CVE-2012-4416 CVE-2012-4420 -> Diese Lücken betreffen nur Java 7.
CVE-2012-4427: Das betroffene Feature ist in den Versionen aus UCS 2.4 und 3.0 noch nocht enthalten.
cakephp: CVE-2012-4399 -> Die Version in UCS 3.0 ist nicht betroffen. optipng: CVE-2012-4432 -> Die Version in UCS 3.0 ist nicht betroffen.
smarty/CVE-2012-4437: Der betroffene Code ist in smarty 2.x nicht enthalten.
cron: CVE-2011-1073 CVE-2011-1074 -> Die Lücken sind FreeBSD-spezifisch
kdenetwork: CVE-2011-1586 -> In 2.4 ist der betroffene Code nicht enthalten und in UCS 3.0 ist die Lücke bereits gefixt. kde4libs: CVE-2011-3365 -> Diese Lücke betrifft nur Version 4.6.0 bis 4.7.1)
glib/CVE-2012-0039: Die Lücke wird von den glib-Entwicklern verneint, da eine beliebige Hash-Funktion vorgegeben werden kann.
rekonq/CVE-2011-3366: Diese Lücke betraf nur eine Developmentzwischenversion, die Version aus UCS 3.0 ist nicht betroffen.
chromium-browser: CVE-2012-2897 CVE-2012-2895 CVE-2012-2890 CVE-2012-2875 Diese Lücken betreffen nur Chrome, nicht Chromium.
phpmyadmin: CVE-2012-5159 -> Die betroffene Version war nie in Debian oder UCS
CVE-2009-4030 sollte in MySQL 5.0.88 korrigiert sein, war sie aber nicht. Dafür wurde CVE-2012-4452 zugewiesen. In UCS nicht auf diese Version aktualisiert und es ist somit nicht betroffen.
Kernel: CVE-2012-4467 -> Die Lücke wurde erst in 3.3 eingeführt.
Wireshark: CVE-2012-5240 -> Diese Lücke betrifft nur Wireshark 1.8.x
Wireshark: CVE-2012-5238 CVE-2012-5237 -> Diese Lücken betrefen nur Wireshark 1.8.x
Firefox: CVE-2012-3989 CVE-2012-3985 CVE-2012-3984 Diese Sicherheitslücken betreffen die 10er ESR-Serie nicht. Firefox: CVE-2012-3987 Diese Lücke ist Android-spezifisch.
Konqueror: CVE-2012-4515 CVE-2012-4514 CVE-2012-4513 CVE-2012-4512 -> Konqueror ist nicht durch Security-Support abgedeckt, siehe "Umfang des Sicherheits-Supports von Webkit, Konqueror und QtWebKit" in den Release Notes.
libproxy: CVE-2012-4504 -> Die Version aus UCS 3.0 ist nicht betroffen.
CVE-2012-2248: Diese Lücke betrifft die 2.4 und 3.0-Version von isc-dhcp nicht.
Folgende Lücken betreffen nur Windows: CVE-2012-5383: mysql-5.1 CVE-2012-5381: php5 CVE-2012-5380: ruby1.8
ruby1.8: CVE-2012-4522 -> Diese Lücke betrifft nur Ruby 1.9 (unmaintained)
openjdk6: CVE-2012-5078 CVE-2012-5080 CVE-2012-5082 Diese Lücken betreffen nur JavaFX, das in OpenJDK nicht enthalten ist.
Diese OpenJDK-Lücken betreffen nur openjdk-7: CVE-2012-5088 CVE-2012-5087 CVE-2012-5086 CVE-2012-5076 CVE-2012-5074 CVE-2012-5070 CVE-2012-5067
MySQL: Diese Lücke betreffen nur MySQL 5.5, nicht aber 5.1: CVE-2012-3147 CVE-2012-3144 CVE-2012-3149 CVE-2012-3156
ffmpeg: CVE-2012-2785 CVE-2012-2792 CVE-2012-2795 CVE-2012-2799 -> Diese Lücken betreffen den wmalossless-Decoder, der erst in libav 0.9 eingeführt wurde.
Neben dbus ist auch glib2.0 von CVE-2012-3524 betroffen (durch libgdbus). UCS 2.4 und 3.0 sind davon allerdings nicht betroffen, libgdbus ist hier noch icht vorhanden.
awstats/CVE-2012-4547: Das betroffene Skript ist im Debian/UCS-Paket nicht ausgeliefert.
Firefox: CVE-2012-4195 Diese Lücke betrifft nur Firefox 16 und nicht die 10er ESR-Serie.
chromium-browser: CVE-2012-5118 CVE-2012-5115 Diese Lücken sind MacOS-spezifisch.
moodle: CVE-2012-5471 CVE-2012-5472 CVE-2012-5473 CVE-2012-5479 CVE-2012-5480 CVE-2012-5481 -> Die Version aus UCS 3.0 ist nicht betroffen
bugzilla: CVE-2012-4198 CVE-2012-4189 -> Der betroffene Code ist in der Version aus UCS 3.0 noch nicht enthalten.
Java: CVE-2012-4820 CVE-2012-4821 CVE-2012-4822 CVE-2012-4823 Diese Lücke betreffen nur die IBM-Implementierung von Java, nicht OpenJDK aus UCS.
(In reply to comment #150) > bugzilla: CVE-2012-4198 CVE-2012-4189 > > -> Der betroffene Code ist in der Version aus UCS 3.0 noch nicht enthalten. Von CVE-2012-4198 wurde eine weitere ID abgespalten: CVE-2012-5884
Mozilla: CVE-2012-5843 CVE-2012-5836 CVE-2012-4203 CVE-2012-4204 CVE-2012-4205 CVE-2012-4208 CVE-2012-5837 CVE-2012-4212 CVE-2012-4213 CVE-2012-4217 CVE-2012-4218 CVE-2012-5838 -> Diese Lücken betreffen die 10er ESR-Serie nicht. CVE-2012-4206 -> Windows-spezifische Lücke
gwt / CVE-2012-5920 -> Der betroffene Code ist in der Version aus 3.0 noch nicht enthalten.
lighttpd / CVE-2012-5533 -> Der betroffene Code ist in 3.0 nicht enthalten.
chromium-browser: CVE-2012-5131 -> MacOS-spezifisch
Linux-Kernel/CVE-2012-5532: Der betroffene Code ist in den 2.6.32-Kerneln aus UCS noch nicht enthalten. Im 3.2-kernel aus UCS 3.1 ist er nicht aktiviert.
opendnssec / CVE-2012-5582 -> Die Version in 3.0 ist nicht betroffen, das betroffene Tool wird in Debian/UCS nicht mitgebaut.
wireshark: CVE-2012-5592 CVE-2012-5593 CVE-2012-5594 CVE-2012-5595 CVE-2012-5596 CVE-2012-5597 CVE-2012-5598 CVE-2012-5599 CVE-2012-5600 CVE-2012-5601 CVE-2012-5602 Diese Lücken erlauben kein Ausführen von Schadcode und werden in Debian (und auch in UCS) nicht als Sicherheitslücken behandelt, siehe README.Debian.security)
Linux-Kernel: CVE-2012-4220 CVE-2012-4221 CVE-2012-4222 Diese Lücken sind Android-spezifisch.
xen: CVE-2012-5525 -> Diese Lücke betrifft nur Xen 4.2
wireshark: CVE-2012-6052 CVE-2012-6053 CVE-2012-6054 CVE-2012-6055 CVE-2012-6056 CVE-2012-6057 CVE-2012-6058 CVE-2012-6059 CVE-2012-6060 CVE-2012-6061 CVE-2012-6062 Diese Lücken erlauben kein Ausführen von Schadcode und werden in Debian (und auch in UCS) nicht als Sicherheitslücken behandelt, siehe README.Debian.security)
mesa: CVE-2012-5129 Der betroffene Code ist in den Versionen aus UCS 2.4 und 3.0 noch nicht enthalten.
apt / CVE-2012-0961: Die Logdatei wird in UCS 2.4 und 3.0 mit korrekten Berechtigungen geschrieben.
qt4-x11: CVE-2012-5624 -> Der betroffene Code ist in den QT-Versionen aus UCS 2.4, 3.0 und 3.1 noch nicht enthalten.
aptdaemon: CVE-2012-0962 -> Der betroffene Code ist in der Version aus UCS 3.0 noch nicht enthalten.
jbossas4: CVE-2012-4549 Die Version aus UCS 3.0 enthält nur einige Basis-Klassenbibliotheken und ist nicht betroffen.
freetype: CVE-2012-5670 -> Der betroffene Code ist in den Versionen aus UCS 2.4 und 3.x nicht enthalten.
CVE-2012-6088 / rpm This vulnerability was introduced in rpm 4.10 and doesn't affect the rpm releases from UCS 2.4 and UCS 3.x
cups: CVE-2012-6094 This only applies to Cups in conjunction with systemd, which isn't present in UCS 2.4, 3.0 or 3.1.
xen: CVE-2013-0154 This issue only applies to Xen 4.2 and above.
CVE-2012-2774: This issue only applies to recent versions of ffmpeg CVE-2012-2784: This issue is a duplicate assignment of CVE-2012-2777
QT: CVE-2012-6093 This security issue only applies to some embedded systems or Gentoo: on a standard Linux distribution with proper soname handling like Debian/UCS QT links against a versioned libssl and this is not exploitable.
Firefox: CVE-2013-0757 CVE-2013-0756 CVE-2012-0755 CVE-2013-0752 CVE-2013-0747 CVE-2013-0764 CVE-2013-0745 CVE-2013-0768 CVE-2013-0760 CVE-2013-0761 CVE-2013-0763 CVE-2013-0771 CVE-2013-0749 CVE-2013-0770 -> These issues do not apply to the ESR 10.x series packaged in UCS, but only to later releases. CVE-2013-0751 -> This issue is limited to Firefox on Android.
rails: CVE-2013-0155 -> The version from UCS 3.0 doesn't contain the vulnerable code, only the later releases are affected.
Linux kernel: CVE-2013-0160 Minor information leak and standard behaviour, rather a missing hardening feature than a security vulnerability.
chromium-browser: Windows-specific: CVE-2013-0830 CVE-2012-5154 Specific to Chrome, doesn' affect Chromium: CVE-2013-0828 CVE-2012-5157 CVE-2012-5156 CVE-2012-5151 MacOSX-specific: CVE-2012-5155
condor: CVE-2012-5390 -> The affected code isn't enabled in the Debian package.
mysql-5.1: CVE-2012-0578 CVE-2013-0367 CVE-2012-5096 CVE-2013-0371 CVE-2013-0368 CVE-2013-0386 CVE-2012-5612 These issues only apply to MySQL 5.5.
openjdk-6: CVE-2013-0422 This vulnerability only affects Java 7.
(In reply to comment #180) > openjdk-6: CVE-2013-0422 > > This vulnerability only affects Java 7. CVE-2012-3174 is related to this CVE ID.
CVE-2012-5641: Only affects CouchDB on Windows.
moodle: CVE-2012-6106 CVE-2012-6105 CVE-2012-6104 CVE-2012-6103 CVE-2012-6102 CVE-2012-6101 CVE-2012-6100 CVE-2012-6099 -> These issues only affect Moodle >= 2.0
php: CVE-2012-6113 This vulnerability was introduced in 5.3.9, so the PHP releases in 2.4, 3.0 and 3.1 are not affected.
moodle: CVE-2012-6112 -> The affected code was introduced in 2.1
Xen: CVE-2013-0152 CVE-2013-0151 These vulnerabilities only affect Xen 4.2 hplip: CVE-2012-6108 This doesn't affect the Debian/UCS packaging, which enforces stricter logfile permissions.
chromium-browser: CVE-2013-0843 -> MacOS-specific
coreutils: CVE-2013-0221 CVE-2013-0222 CVE-2013-0223 The affected patch an external patch used by Red Hat and SuSE, but not applied to the Debian/UCS package.
OpenJDK: CVE-2013-1483 CVE-2013-1482 CVE-2013-1477 CVE-2013-1474 CVE-2013-1472 CVE-2013-0447 CVE-2013-0439 CVE-2013-0436 CVE-2012-4305 CVE-2012-4301 CVE-2012-1543 These vulnerabilities are in JavaFX, which isn't part of OpenJDK, only the proprietary Java.
These security issues are specific to Java 7 and don't affect Java 6/openjdk-6 as shipped in UCS: CVE-2013-0437 CVE-2013-0444 CVE-2013-0449 CVE-2013-0431 CVE-2013-0448 CVE-2013-1489
OpenJDK-6: CVE-2013-1481 CVE-2013-1473 CVE-2013-0446 CVE-2013-0438 CVE-2013-0430 CVE-2013-0423 CVE-2013-0419 CVE-2013-0351 CVE-2012-3342 CVE-2012-1541 The vulnerabilities were fixed in Oracle Java, but don't affect the Icedtea release openjdk-6 is based upon: The Deployments components are not present and the sound implementation is different (icedtea uses Pulseaudio).
Xen: CVE-2013-0215: This issue only affects the Ocaml version of xenstored, which is not used in UCS:
OpenJDK: CVE-2013-1479 This vulnerability is in JavaFX, which isn't part of OpenJDK, only the proprietary Java.
curl: CVE-2013-0249 This only affects the versions 7.26.0 to and including 7.28.1, which are not part of any UCS release.
OpenJDK: CVE-2013-1490 Only exploitable with OpenJDK 7
wireshark: CVE-2013-1587 CVE-2013-1585 CVE-2013-1584 CVE-2013-1583 The affected code isn't present in Wireshark 1.2 wireshark: CVE-2013-1589 CVE-2013-1581 CVE-2013-1580 CVE-2013-1579 CVE-2013-1578 CVE-2013-1577 CVE-2013-1576 CVE-2013-1575 CVE-2013-1574 CVE-2013-1573 CVE-2013-1572 These issues are not suitable for code injection and thus not treated as security issues, see README.Debian.security
CVE-2013-1591: pixman The affected macro isn't present in the pixman versions in UCS 2.4 and 3.x
boost1.42: CVE-2013-0252 Boost.locale was introduced in Boost 1.48 and isn't present in the Boost packages from UCS 2.4 and UCS 3.x
gnome-screensaver: CVE-2013-1050 The vulnerable code is Ubuntu-specific and caused by a Unity patch not present in the UCS packages.
CVE-2013-1747: ngircd: The vulnerability was introduced in 20.1-1, which isn't in UCS.
All of these security issues only affect Firefox 18 or above: CVE-2013-0784 CVE-2013-0772 CVE-2013-0765 CVE-2013-0777 CVE-2013-0778 CVE-2013-0779 CVE-2013-0781
OpenJDK: CVE-2013-1484 CVE-2013-1485: These vulnerabilities only affects Java 7. CVE-2013-1487: The Deployment components are only present in Oracle Java, not OpenJDK.
openssl: CVE-2012-2686 The vulnerable code isn't present in the openssl versions in UCS 2.4 and 3.x
CVE-2013-1763 The affected function was introduced in Linux 3.3 and isn't present in UCS 2.4 or 3.x
pktstat: CVE-2013-0350 The affected code isn't present in the version from UCS 3.x
git: CVE-2013-0308 git in Debian/UCS is build without OpenSSL support due to license restrictions, so this vulnerability doesn't affect Debian/UCS.
packagekit: CVE-2013-1764 This is specific to Zypp from SuSE.
varnish: CVE-2013-0345 Debian/UCS are not affected, they use a secure configuration.
tomcat6: CVE-2013-0346 Debian/UCS uses a secure configuration.
mantis: CVE-2013-1810 This only affects Mantis 1.1.12, which isn't present in UCS 3.x
php5: CVE-2013-1635 basedir bypasses not treated as security issues per the Debian/UCS PHP security policy.
These issues don't allow code injection and are thus not treated as security issues by the Debian/UCS security policy for Wireshark, see README.Debian.security CVE-2012-4293 CVE-2012-4292 CVE-2012-4291 CVE-2012-4290 CVE-2012-4289 CVE-2012-4288 CVE-2012-4285 CVE-2012-4288
corosync: CVE-2013-0250 The version in 3.x doesn't contain the affected code.
wireshark: CVE-2013-2487 CVE-2013-2486 CVE-2013-2479 CVE-2013-2477 CVE-2013-2476 CVE-2013-2475 The affected code isn't present in Wireshark 1.2 wireshark: CVE-2013-2485 CVE-2013-2483 CVE-2013-2482 CVE-2013-2481 These issues are not suitable for code injection and thus not treated as security issues, see README.Debian.security
Linux kernel: CVE-2013-1828 This issue has been introduced in Linux 3.8 and doesn't affect any UCS kernel.
squid3: CVE-2013-1839 The vulnerability was introduced in 3.2.0.9
almanah: CVE-2013-1853 Thi only affects Almanah in combination with Glib 2.32
apt: CVE-2013-1051 InRelease support isn't used in the apt releases in UCS 2.4 and 3.x
Linux kernel: CVE-2012-6543 The affected code was introduced in Linux 3.5
sssd: CVE-2013-0287 The AD provider was introduced in 1.9 and is not present in the version from UCS 3.x
mantis: CVE-2013-1883 The version in UCS 3.x is not affected
moodle: CVE-2013-1829 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1835 CVE-2013-1836 -> Only affect Moodle versions later than 1.9.x
isc-dhcp: CVE-2013-2494 This only affects isc-dhcp 4.2
python-pip: CVE-2013-1888 The vulnerable code is not yet present.
openjdk6: CVE-2013-0409 CVE-2012-3213 These issues are specific to Oracle Java.
asterisk: CVE-2013-2685 The affected code isn't present.
postgresql-*: CVE-2013-1899 CVE-2013-1901 These issues only affect PostgreSQL 9.0, 9.1, 9.2; UCS contains PostgreSQL 8.4 which is not affected by these issues.
glassfish: CVE-2013-1508 CVE-2013-1515 These issues only affect 3.x mysql-5.1: CVE-2013-2395 CVE-2013-1570 CVE-2013-1523 CVE-2013-1512 CVE-2013-1526 CVE-2013-2376 CVE-2013-1567 CVE-2013-1566 CVE-2013-1511 CVE-2013-2381 CVE-2013-1502 These issues only affect MySQL 5.6 and/or 5.5 phpmyadmin: CVE-2013-3238 CVE-2013-1937 CVE-2013-3240 CVE-2013-3241 These issues are either only exploitable on Windows or only affect more recent versions of phpmyadmin than the ones in UCS 2.4 and 3.x openjdk-6: CVE-2013-2433 CVE-2013-2435 CVE-2013-2439 CVE-2013-2440 CVE-2013-2418 These issues only affect Oracle Java, not the icedtea releases OpenJDK is based upon. The Deployment component isn't present there and the Installation mechanism doesn't apply to Linux distros. openjdk-6: CVE-2013-2425 CVE-2013-2416 Only affects Java 7. libxml2: CVE-2013-1969 This is only exploitable with libxml2 2.9 onwards. Linux kernel: CVE-2013-3226 The vulnerable code isn't present in 2.6.32 and 3.2 yet
Linux kernel: CVE-2013-3230 Introduced in Linux 3.5 Linux kernel: CVE-2013-3233 Introduced in Linux 3.3 Linux kernel: CVE-2013-3236 CVE-2013-3237 Introduced in Linux 3.9 Linux kernel: CVE-2013-1959 Introduced in Linux 3.7 Linux kernel: CVE-2013-2017 Introduced in 2.6.33 and fixed in 2.6.34
roundcube: CVE-2013-1904 The affected code isn't present in the version in UCS 3.x openjdk-6: CVE-2013-1563 CVE-2013-1540 This only affects Oracle Java, but not OpenJDK. openjdk-7: CVE-2013-2438 CVE-2013-2428 CVE-2013-2427 CVE-2013-2414 CVE-2013-1564 CVE-2013-1561 CVE-2013-0402 These issues only affect JavaFX, which isn't part of OpenJDK, only the proprietary Oracle Java. openjdk-6: 2013-2434 CVE-2013-2431 CVE-2013-2421 CVE-2013-2426 CVE-2013-2436 CVE-2013-1488 CVE-2013-2423 CVE-2013-2415 This only affects Java 7, not Java 6. Firefox: CVE-2013-0789 CVE-2013-0790 CVE-2013-0799 CVE-2013-0798 CVE-2013-0797 CVE-2013-0794 CVE-2013-0792 These issues only affect Firefox releases after 17.x or only Firefox on Android/Windows. xen: CVE-2013-1922 NBD/qemu isn't used in UCS.
Linux kernel: CVE-2013-3229 This issue is specific to the s390 architecture not supported by UCS. Linux kernel: CVE-2013-3232 This issue was introduced and fixed in the 3.9 development cycle. samba: CVE-2013-0454 This issue only affects Samba 3.6.0 to 3.6.5. UCS 2.4 and 3.0 contain 3.5.11 and the version from UCS 3.1 (3.6.8) is already fixed.
activemq: CVE-2012-6092 CVE-2012-6551 The affected code isn't present in the packages in UCS 3.x xen: CVE-2013-2007 The affected code isn't present yet. postgres: CVE-2013-1902 CVE-2013-1903 These issues are specific to the installer provided by EnterpriseDB and don't apply to Debian/UCS.
nginx: CVE-2013-2028 The version in UCS 3.x is not affected.
tomcat6: CVE-2013-2071 This only affects Tomcat 7
libparallel-forkmanager-perl: CVE-2011-4115 The affected code isn't present in the version from UCS 3.x dovecot: CVE-2010-0535 (only recently assigned) This is specific to MacOS X Linux kernel: CVE-2013-2058 The affected code was introduced in 3.5
Firefox: CVE-2013-1669 CVE-2013-1671 These issues only affects Firefox 20. Firefox: CVE-2013-1672 CVE-2013-1673 CVE-2012-1942 These issues are specific to Windows. webauth: CVE-2013-2106 The affected code isn't present in the package in UCS 3.x moodle: CVE-2013-2079 This only affects more recent versions than in UCS 3.x
wireshark: CVE-2013-3555 CVE-2013-3556 CVE-2013-3558 CVE-2013-3559 CVE-2013-3560 CVE-2013-3561 This only affects Wireshark 1.8.x or the development trunk libvirt: CVE-2013-1962 The vulnerable code isn't present in the versions in UCS 2.4 and 3.x
wireshark: CVE-2013-3562 This issue only affects Wireshark 1.8.x Python: CVE-2013-2098 This affected function was introduced in Python 3.2
tomcat6: CVE-2013-1976 CVE-2013-2051 These issues are specific to Red Hat. Struts: CVE-2013-2115 CVE-2013-1966 CVE-2013-1965 The Struts version in UCS 3.x is not affected. znc: CVE-2013-2130 The vulnerable code isn't present yet
pymongo: CVE-2013-2132 The affected code isn't yet present in the version in UCS 3.x qemu: CVE-2013-2016 qemu-kvm: CVE-2013-2016 These issues were introduced in 1.3.0 and thus not present in UCS 2.4 or 3.x Ruby: CVE-2013-2065 This issue only affects Ruby 1.9 (only in unmaintained) Bind: CVE-2013-3919 The affected code was introduced in a later version, the Bind packages from UCS 2.4 and 3.x are not affected.
gallery: CVE-2013-2138 This issue only affects later versions. qemu: CVE-2013-2007 The affected code was added in 1.4 qemu-kvm: CVE-2013-2007 The affected code was added in 1.4 libstruts1.2: CVE-2013-2134 CVE-2013-2135 This only affects 2.x Linux kernel: CVE-2013-2140 The affected code doesn't affect 2.6.32 or 3.2 dovecot: CVE-2013-2111 The affected code isn't present in the version from UCS 3.x
dbus: CVE-2013-2168 The affected code isn't present yet. xdm: CVE-2013-2179 This only affects systems without PAM. Wireshark: CVE-2013-4082 CVE-2013-4080 CVE-2013-4079 CVE-2013-4078 CVE-2013-4077 CVE-2013-4076 CVE-2013-4075 CVE-2013-4074 The affected code was introduced in 1.8 or later. Wireshark: CVE-2013-4081 These issues don't allow code injection and are not treated as security issues, see README.Security php5: CVE-2013-2110 The affected code was introduced later.
ffmpeg: CVE-2013-3675 CVE-2013-0876 CVE-2013-0877 CVE-2013-0863 CVE-2013-0862 The affected code isn't present. chromium-browser: CVE-2013-2866 The affected code isn't present. openjdk-6: CVE-2013-2468 CVE-2013-2466 CVE-2013-2442 CVE-2013-2437 These issues affect the Deployments component, which is only in Oracle Java, not OpenJDK. openjdk-6: CVE-2013-2462 CVE-2013-2400 CVE-2013-3744 This issue only affects Java 7. openjdk-6: CVE-2013-2467 This issue only affects Java 5.
openjdk-7: CVE-2013-2460 CVE-2013-2458 CVE-2013-2449 Only affects Java 7.
php/CVE-2013-4636: The vulnerable code has been introduced in 5.4.15 php5/CVE-2013-4635: This is only exploitable by malicious PHP script code. Firefox: CVE-2013-1683 CVE-2013-1688 CVE-2013-1695 CVE-2013-1696 CVE-2013-1698 CVE-2013-1699 CVE-2013-1700 These issues only affect Firefox > ESR17.
Linux: CVE-2013-2188 This is a kernel issue specific to Red Hat Enterprise Linux. OpenJDK: CVE-2013-2457 Only applies to Java 7. icinga: CVE-2013-2214 This issue is specific to Nagios, Icinga performs correct filtering. kdeplasma-addons: CVE-2013-2213 This ID is for an incomplete patch, which was never applied in UCS.
phpmyadmin: CVE-2013-3742 The affected code isn't present in the version from UCS 3.0 ffmpeg: CVE-2013-0878 CVE-2013-0875 CVE-2013-0852 CVE-2013-0851 The affected code isn't present in the 0.5 version from ffmpeg
ffmpeg: CVE-2013-0845 CVE-2013-0859 CVE-2013-0861 CVE-2013-0864 CVE-2013-0872 CVE-2013-3671 CVE-2013-3674 CVE-2013-3673 The affected codec isn't present. clutter-1.0: CVE-2013-2190 This only affects later versions that the one in UCS 3.x web2py: 2311 The affected code isn't present in the version from UCS 3.x
libvirt: CVE-2013-2218 The affected code was introduced in 1.0.6
Linux: CVE-2013-2224 This issue is specific to Red Hat Enterprise Linux. Linux: CVE-2013-2239 This issue is specific to openvz, which was included in the Debian 2.6.32 kernel from UCS 2.4 However, we're disabling the build of that flavour for UCS. mongodb: CVE-2013-4650 The version from UCS 3.1 is not affected. rsyslog: CVE-2013-4758 The versions in UCS 2.4 and 3.1 are not affected, the vulnerable code isn't present. nginx: CVE-2013-2070 The affected code isn't present in the version from UCS 3.1
file-roller: CVE-2013-4668 The version in UCS 3.1 is not affected, it doesn't use libarchive. chromium-browser: CVE-2013-2872 CVE-2013-2874 These are specific to MacOS and Windows. libvirt:CVE-2013-2230 The affected code isn't present in the versions from 2.4 or 3.1
squid: CVE-2013-4115 The Squid releases in UCS 2.4 and 3.1 are not affected, the issue can only be exploited with 3.2 onwards.
cyrus-sasl2: CVE-2013-4122 This issue is only exploitable with eglibc 2.17 and later. geronimo: CVE-2013-1777 The affected code isn't present in the version from UCS 3.1
squid/squid3: CVE-2013-4123 The versions in UCS 2.4 and 3.1 are not affected, the affected code isn't present yet. Linux kernel: CVE-2013-4129 This issue was introduced in 3.11-rc1 Linux kernel: CVE-2013-4127 This issue was introduced in 3.8 Linux kernel: CVE-2013-4125 This issue was introduced in 3.7
mysql-5.1: CVE-2013-3798 CVE-2013-3809 CVE-2013-3793 CVE-2013-3795 CVE-2013-3806 CVE-2013-3805 CVE-2013-3796 CVE-2013-3783 CVE-2013-3794 CVE-2013-3807 CVE-2013-3811 CVE-2013-3810 CVE-2013-3812 Only affects MySQL 5.6 and/or 5.5 kdebase-workspace: CVE-2013-4133 This is only exploitable with glibc 2.17 phpmyadmin: CVE-2013-4729 The version in UCS 3.1 is not affected, the vulnerable code was introduced later. moodle: CVE-2013-2244 Only affects later versions
libstruts1.2-java: CVE-2013-2248 CVE-2013-2251 These issues only affect Struts 2.x libvirt: CVE-2013-4153 This issue was introduced in 1.0.6 freerdp: CVE-2013-4118 CVE-2013-4119 The versions in UCS 2.4, UCS 3.1 and UCC are not affected. These issues only affect the server part, which isn't built in the Debian package. qemu: CVE-2013-2231 The qemu guest agent isn't present yet. smokeping: CVE-2013-4158 This CVE ID is for an incomplete fix for CVE-2013-0790. This insufficient patch was never applied to the Debian/UCS package. mongodb: CVE-2013-3969 The version in UCS 3.1 is not affected.
ffmpeg: CVE-2013-0874 CVE-2013-0870 CVE-2013-0847 The affected code isn't present in the versions in UCS 2.4 and 3.1 gksu-polkit: CVE-2013-4161 This ID is for an incomplete fix for CVE-2012-5617. The broken patch was never applied in UCS/Debian apache2: CVE-2013-2249 This only affects Apache 2.4 subversion: CVE-2013-4131 This only affects Subverson >= 1.7
wireshark: CVE-2013-4928 CVE-2013-4936 CVE-2013-4922 CVE-2013-4923 CVE-2013-4924 CVE-2013-4925 CVE-2013-4926 CVE-2013-4920 CVE-2013-4921 CVE-2013-4931 CVE-2013-4927 CVE-2013-4929 The affected code isn't present in the version in UCS 3.1 moodle: CVE-2013-4942 CVE-2013-4941 CVE-2013-4940 CVE-2013-4939 CVE-2013-4938 The affected code isn't present in the version in UCS 3.1 openoffice/libreoffice: CVE-2013-4156 This is a harmless NULL pointer dereference and not treated as a security issue.
nagios3: CVE-2013-2214 This behaviour is intentional and not a security issue, the CVE ID will be rejected at some point. ffmpeg: CVE-2013-0866 The affectec code isn't present in the version from UCS 3.1 strongswan: CVE-2013-5018 Only affects 5.0.x Firefox: CVE-2013-1702 CVE-2013-1704 CVE-2013-1705 CVE-2013-1708 CVE-2013-1711 These issues only affect Firefox > 17.x Firefox: CVE-2013-1706 CVE-2013-1707 CVE-2013-1712 CVE-2013-1715 These issues are Windows-specific.
Linux: CVE-2013-4205 This issue was introduced in 3.8 Linux: CVE-2013-4220 This issue is specific to ARM nagios-plugin: CVE-2013-4215 The affected plugin isn't installed into the Debian package. nmap: CVE-2013-4885 The vulnerable code was introduced later. libvirt: CVE-2013-4239 The affected code was introduced in 1.1.1
nagios3: CVE-2013-4214 The affected code isn't present yet. Linux kernel: CVE-2013-4247 This was introduced in 3.8 (the Linux 3.10 kernel from UCS 3.2 wll be reviewed/tracked later) Linux kernel: CVE-2013-4254 This issue is specific to the Arm architecture typo3-src: CVE-2013-4250 The version in UCS 3.0 is not affected. puppet: CVE-2013-4955 CVE-2013-4762 CVE-2013-4961 CVE-2013-4959 CVE-2013-4958 CVE-2013-4073 CVE-2013-4964 CVE-2013-4967 CVE-2013-4968 These issues only affect Puppet Enterprise, not the open source version from UCS 3.x libstruts1.2-java: CVE-2011-3923 This only affects Struts 2
ngircd: CVE-2013-5580 The version in UCS 3.1 is not affected. python-django: CVE-2013-4249 The version in UCS 3.1 is not affected. znc: CVE-2013-2130 The version in UCS 3.1 is not affected. ffmpeg: CVE-2013-4263 CVE-2013-4264 CVE-2013-4265 The versions in UCS 2.4 and UCS 3.1 are not affected. puppet: CVE-2013-4962 This only affects Puppet Enterprise, not the puppet from UCS 3.1 Linux kernel: CVE-2013-5634 This only affects ARM.
Linux kernel: CVE-2013-2890 The affected driver was merged in the 3.11 development cycle Linux kernel: CVE-2013-2891 The affected driver was introduced in 3.9 (the 3.10 kernel from 3.2 will be tracked later) Linux kernel: CVE-2013-2894 The affected driver was introduced in 3.6 (the 3.10 kernel from 3.2 will be tracked later) Linux kernel: CVE-2013-2898 The affected driver was introduced in 3.7 (the 3.10 kernel from 3.2 will be tracked later)
Linux kernel: CVE-2013-2890 The affected driver was merged in the 3.11 development cycle Linux kernel: CVE-2013-2891 The affected driver was introduced in 3.9 (the 3.10 kernel from 3.2 will be tracked later) Linux kernel: CVE-2013-2894 The affected driver was introduced in 3.6 (the 3.10 kernel from 3.2 will be tracked later) Linux kernel: CVE-2013-2898 The affected driver was introduced in 3.7 (the 3.10 kernel from 3.2 will be tracked later) libvirt: CVE-2013-5651 The affected code was introduced in 0.10.2 libvirt: CVE-2013-4292 The affected code was introduced in 1.1.2 expat: CVE-2013-0340 CVE-2013-0341 Expat provides API mechanisms to prevent DoS through internal/external entity expansion. Ultimately the responsibility relies on the applications using Expat. subversion: CVE-2013-4246 CVE-2013-4262 These only affect 1.8.x perl: CVE-2013-1437 This only affects later Perl releases. serendipity: CVE-2013-5670 The version in UCS 3.x is not yet affected.
roundcube: CVE-2013-5646 The version in UCS 3.1 is not affected. imagemagick: CVE-2013-4298 The version in UCS 3.1 is not affected. python-pip: CVE-2013-5123 The affected code was introduced in 0.8.1 Linux kernel: CVE-2013-1956 CVE-2013-1957 CVE-2013-1958 User namespaces cannot be created by non-privileged users in 2.4 and 3.2 Linux kernel: CVE-2013-1935 CVE-2013-1943 These two issues are regression specific to RHEL.
Linux kernel: CVE-2013-4300 This issues isn't exploitable by standard users in 2.6.32 and 3.2 ffmpeg: CVE-2013-0853 The parsing is different in 0.5, not affected. libvirt: CVE-2013-4297 The vulnerability was introduced in 1.0.6 libvirt: CVE-2013-4291 The vulnerability was introduced in 1.1.1 typo3-src: CVE-2013-4320 The Typo3 version in UCS 3.1 is not affected, only Typo3 6 and onwards wireshark: CVE-2013-5717 This only affects Wireshark 1.10 wireshark: CVE-2013-5719 Not suitable for code injection, see README.Debian.security
xen: CVE-2013-4329 libxl isn't used in UCS. Adobe Reader: CVE-2013-3351, CVE-2013-3352, CVE-2013-3353, CVE-2013-3354, CVE-2013-3355, CVE-2013-3356, CVE-2013-3357, CVE-2013-3358 Adobe Reader is only present in UCS 2.4. According to the upstream advisory only Adobe Reader 10 and 11 are affected (the version in UCS 2.4 is Reader 9) request-tracker3.8: CVE-2013-5587 This only affects RT 4
moodle: CVE-2013-5674 The version in UCS 3.x is not affected. Firefox: CVE-2013-1719 CVE-2013-1720 CVE-2013-1721 CVE-2013-1723 CVE-2013-1724 CVE-2013-1728 These issues only affect Firefox > 24. Firefox: CVE-2013-1726 This only affects the Firefox-internal updater, which is not used on Linux. Firefox: CVE-2013-1727 CVE-2013-1731 These are specific to Android. Firefox: CVE-2013-1729 This is specific to Mac OS X
Struts: CVE-2013-4316 CVE-2013-4310 These issues only affect Struts 2.x
qemu-kvm: CVE-2013-4377 This was introduced in 1.4. hylafax: CVE-2013-5680 LDAP support is not enabled in Debian/UCS. Xen: CVE-2013-4356 This issue only affects Xen 4.3
libvirt: CVE-2013-4399 This vulnerability was introduced in 1.1.0 Linux kernel: CVE-2011-4098 This was introduced in Linux 2.6.37 and fixed in Linux 3.2, so no UCS kernel is affected.
slim: CVE-2013-4412 The package in UCS 3.1 is not affected, the vulnerability is only exploitable with a more recent glibc. Xen: CVE-2013-4370 CVE-2013-4371 CVE-2013-4369 This only affects Xen 4.2 and later
slim: CVE-2013-4412 The package in UCS 3.1 is not affected, the vulnerability is only exploitable with a more recent glibc. Xen: CVE-2013-4370 CVE-2013-4371 CVE-2013-4369 These only affect Xen 4.2 and later quassel: CVE-2013-4422 This is only exploitable if Postgres support is enabled, which isn't the case in Debian/UCS.
Linux kernel: CVE-2013-4738 CVE-2013-4739 These are drivers specific to Android MySQL: CVE-2013-5807 CVE-2013-5793 CVE-2013-5786 CVE-2013-5770 CVE-2013-5767 These issues only affect MySQL 5.5 and/or 5.6 OpenJDK: CVE-2013-5824 CVE-2013-5788 CVE-2013-5787 CVE-2013-5789 CVE-2013-5852 CVE-2013-5812 CVE-2013-5776 CVE-2013-5818 CVE-2013-5819 CVE-2013-5831 CVE-2013-5848 These issues affect the Deployments component, which is only present in Oracle Java, but not in OpenJDK. OpenJDK: CVE-2013-5805 CVE-2013-5806 These issues are specific to MacOS X. OpenJDK: CVE-2013-5846 CVE-2013-5810 CVE-2013-5844 CVE-2013-5777 CVE-2013-5775 CVE-2013-5854 These issues affect the JavAFX component, which is only present in Oracle Java, but not in OpenJDK. OpenJDK: CVE-2013-5838 CVE-2013-5851 CVE-2013-5800 These issues only affect Java 7 OpenJDK: CVE-2013-5804 This is by design, Javadoc comments can include arbitrary HTML code
qemu-kvm: CVE-2013-4344 This is only exploitable with a malformed configuration only creatable by an administrator. rails: CVE-2013-4389 The version in UCS 3.1 is not affected OpenJDK: CVE-2013-5844 JavaFX is not part of OpenJDK, only in Oracle Java. xorg-server: CVE-2013-1056 The vulnerability was introduced in an Ubuntu-specific patch. bugzilla: CVE-2013-1733 CVE-2013-1743 The version in UCS 3.1 is not affected.
gitolite: CVE-2013-4451 The affected code isn't present yet. Linux kernel: CVE-2013-1956 CVE-2013-1957 CVE-2013-1958 These issues are already fixed in the 3.10.x kernel from UCS 3.2 and they don't affect the older kernels. libhttp-body-perl: CVE-2013-4407 The issue was introduced in version 1.08 libvirt: CVE-2013-4311 Support for policykit isn't enabled in the Debian/UCS package. libvirt: CVE-2013-4401 This issue was introduced in 1.1.0 libvirt: CVE-2013-4400 This issue was introduced in 1.1.2 policykit-1: CVE-2013-4288 The upstream fix only introduces a new option to pkcheck and deprecates an insecure API, the affected insecure interface isn't used in UCS.
nss: CVE-2013-1739 version 3.12.8-1+squeeze6 not affected
roundcube: CVE-2013-6172 [squeeze] - roundcube <not-affected> (Vulnerable code not present)
wireshark: CVE-2013-6339 → OpenWire dissector introduced in 1.8.0
Firefox: CVE-2013-5593 CVE-2013-5596 CVE-2013-5603 Only affects Firefox 18 and above Firefox: CVE-2013-5591 CVE-2013-5592 CVE-2013-5598 Only affects Firefox 24 and above
libstruts1.2-java: CVE-2013-6348 This only affects Struts 2.x puppet: CVE-2013-4965 CVE-2013-4957 This doesn't affect the standard puppet package from UCS 3.x, only the Enterprise release and an addon package wireshark: CVE-2013-6336 CVE-2013-6337 CVE-2013-6338 The version from UCS 2.4 and 3.1 is not affected; the affected code was introduced in a later version Bind: CVE-2013-6230 This only affects Bind running on Windows (so probably noone at all :-) Linux kernel: CVE-2013-4513 CVE-2013-4514 CVE-2013-4515 CVE-2013-4516 This only affects a driver from "staging", a development testbed for drivers which need to be cleaned up before they can be merged into the mainline kernel. The affected code isn't enabled in UCS/Debian kernels. OpenSSH: CVE-2013-4548 This vulnerability only affects OpenSSH 6.2 and later
poppler: CVE-2013-4472 This issue only applies to non-Unix-like systems. poppler: CVE-2013-4473 CVE-2013-4474 The affected binary was introduced in a later poppler version. gnutls26: CVE-2013-4466 CVE-2013-4487 These issues only affect GNU TLS 3.1 and 3.2 Java: CVE-2013-5843 CVE-2013-5832 CVE-2013-5801 These changes are specific to Oracle Java, the exact issue is unknown (Oracle disclosure), but no fix landed in icedtea (the open source release branch)
ffmpeg: CVE-2013-0857 The vulnerable code isn't present yet Xen: CVE-2013-4551 This only affects Xen 4.2 and later.
libxslt: CVE-2013-4520 This CVE is about an incomplete backport, but Debian/UCS contain the correct patch. Xen: CVE-2013-4416 This only affects the Ocaml version of xenstored, which isn't used in Debian/UCS.
Linux: CVE-2013-6282 This issue is arm-specific. Linux: CVE-2013-4591 This issue was introduced in 3.6 and fixed in 3.8, so no UCS kernels were affected. Xen: CVE-2013-6375 This only affects Xen 4.2 and later Grub: CVE-2013-4577 grub.cfg is written by grub-mkconfig with world-readable permissions as standard. It has a feature that if a clear text password is configured for the bootloader the world-readable bits are removed. This CVE ID is about the fact that in combination with hashed one way passwords (password_pbkdf2) that permission fix isn't applied. We won't fix this in this a security update, since this is only a minor hardening and passwords for the bootloader are not supported in the UCR templates anyway. Also, local bootloader restrictions are weak anyway. nginx: CVE-2013-4547 This only applies to version 0.8.41 and later.
moodle: CVE-2013-4524 CVE-2013-4525 The affected code isn't present in the version in UCS 3.x Linux kernel: CVE-2013-6379 This issue only affects the 3.10.x kernel from UCS 3.2. The driver isn't built in the kernel package and only from the experimental "staging" area Linux kernel: CVE-2013-6381 This issue only affects the s390 architecture (IBM zSeries). Linux kernel: CVE-2013-6392 This issue only affects an Android-specific patch set. Quagga: CVE-2013-6051 This only affects a later version. Subversion: CVE-2013-4505 The affected Apache module isn't built in the Debian/UCS packages. Subversion: CVE-2013-4558 This issue only affects 1.7.x and 1.8.x Ganglia: CVE-2013-6395 The affected code isn't present yet.
ibus-anthy: CVE-2013-4509 ibus-pinyin: CVE-2013-4509 ibus-chewing: CVE-2013-4509 This is only a security issue in combination with IBUS 1.5.4. augeas: CVE-2013-6412 The affected patch isn't present yet.
ffmpeg: CVE-2013-7024 CVE-2013-7022 CVE-2013-7021 CVE-2013-7019 CVE-2013-7018 CVE-2013-7017 CVE-2013-7016 CVE-2013-7014 CVE-2013-7013 CVE-2013-7012 CVE-2013-7008 The affected code isn't present yet. Linux kernel: CVE-2013-6432 The affected code was introduced in Linux 3.11 rails: CVE-2013-6416 This only affects later versions. Firefox: CVE-2013-5611 CVE-2013-5612 CVE-2013-5614 CVE-2013-5619 CVE-2013-6672 CVE-2013-5610 These issues don't affect the ESR 24.x series Xen: CVE-2013-6400 This only affects Xen 4.2 and later. hplip: CVE-2013-6427 This the affected code isn't present yet. Horde: CVE-2013-1090 This is a SuSE-specific packaging flaw.
ack-grep: CVE-2013-7069 The affected code isn't present yet. devscripts: CVE-2013-7050 The affected code isn't present yet.
devscripts: CVE-2013-7085 The affected code isn't present yet. rails: CVE-2013-6414 The affected code isn't present yet. opensaml2: CVE-2013-6440 This only affects the Java-based Shibboleth implementation, UCS 3.x contains the C-based version. libproc-daemon-perl: CVE-2013-7135 The affected code isn't present yet. curl: CVE-2013-6422 This was introduced in Curl 7.21.4 Wireshark: CVE-2013-7112 The affected code isn't present Wireshark: CVE-2013-7113 This doesn't allow code injection, so it's not treated as a security issue, see README.Debian.security
openssl: CVE-2013-6449 The OpenSSL version in UCS doesn't support TLS 1.2 ffmpeg: CVE-2012-6616 CVE-2012-6615 The affected code isn't present yet libi18n-ruby: CVE-2013-4492 The affected code isn't present yet libpng: CVE-2013-6954 The affected code was introduced in 1.6.1 llvm / llvm-2.7: CVE-2013-7171 This is a Slackware-specific build problem libiodbc2: CVE-2013-7172 This is a Slackware-specific build problem rails: CVE-2013-4491 The affected code isn't present yet software-properties: CVE-2013-1061 The version in UCS doesn't use Policykit yet. poppler: CVE-2012-2142 This is not treated as a security issue in Debian/UCS, but only as hardening. The sanitising takes place in the terminal emulator. kdebase-workspace: CVE-2013-4132 This is only exploitable with glibc 2.17 kdebase-workspace: CVE-2013-4133 The affected code isn't present yet
distribute: CVE-2013-1633 This is additional hardening, not a security vulnerability php5: CVE-2011-4718 (ID was assigned in 2013) This is a long-standing design flaw in PHP which was addressed in 5.5.2. The changes are too invasive to backport, mitigations are documented here: https://wiki.php.net/rfc/strict_sessions#current_solution wireshark: CVE-2013-7114 The vulnerable code isn't present yet
openssl: CVE-2013-4353 This only affects OpenSSL >= 1.0.0 vnc4: CVE-2013-6886 This only affects RealVNC 5.0.6 gdm3: CVE-2013-7273 The affected code isn't present yet. chromium-browser: CVE-2012-2899 CVE-2012-2898 These are specific to IOS libvirt: CVE-2013-6456 The affected code was introduced in 1.0.1 cups: CVE-2013-6891 The vulnerability was introduced in 1.6.4 libnokogiri-ruby: CVE-2013-6460 CVE-2013-6461 Only versions >= 1.4 are affected. ffmpeg: CVE-2011-3950 CVE-2011-3949 (these IDs were only recently assigned) This affected code was introduced later.
OpenJDK: CVE-2014-0415 CVE-2014-0410 CVE-2014-0424 CVE-2014-0387 CVE-2013-5904 CVE-2014-0375 CVE-2014-0403 CVE-2013-5902 CVE-2014-0418 CVE-2013-5887 CVE-2013-5899 CVE-2013-5888 CVE-2013-5898 The Deployment components are not part of OpenJDK, only present in Oracle Java OpenJDK: CVE-2014-0385 CVE-2014-0408 Specific to Mac OS X OpenJDK: CVE-2013-5893 Only affects OpenJDK 7 OpenJDK: CVE-2013-5870 CVE-2013-5895 CVE-2014-0382 Only affects Java FX which is not part of OpenJDK, only Oracle Java OpenJDK: CVE-2013-5905 CVE-2013-5906 This only affects the installer package for Oracle Java, not the distro packages based on OpenJDK
MySQL: CVE-2013-5860 CVE-2013-5882 CVE-2014-0433 CVE-2013-5894 CVE-2013-5881 CVE-2013-5891 CVE-2014-0427 CVE-2014-0431 CVE-2014-0430 CVE-2014-0420 These issues are specific to MySQL 5.5 and/or 5.6 libvirt: CVE-2014-0028 CVE-2013-6457 These issues were introduced in 1.1.1 or 1.2.0 poppler: CVE-2013-7296 The affected code was introduced in a later version
Xen: CVE-2014-1642 Only Xen 4.2 and later are affected. Xen: CVE-2014-1666 Only later Xen releases are affected. Tor: CVE-2013-7295 The version is not affected, this is only exploitable in conjunction with OpenSSL 1.x libjamon-java: CVE-2013-6235 The affected file is excluded in the Debian/UCS build
Linux: CVE-2014-0038 This only affects the x32 architecture, which is not supported in UCS. fwsnort: CVE-2014-0039 The vulnerable code was introduced later Firefox: CVE-2014-1478 CVE-2014-1480 CVE-2014-1483 CVE-2014-1485 CVE-2014-1488 CVE-2014-1489 These issues only apply to Firefox 25/26, but not to the ESR24 series. Firefox: CVE-2014-1484 This is specific to Firefox on Android
mumble: CVE-2014-0044 CVE-2014-0045 The version in UCS 3.x doesn't have support for the affected Opus codec
Xen: CVE-2014-1895 CV-2014-1896 These issues only affect Xen 4.2 and later.
xen: CVE-2014-1891 CVE-2014-1892 CVE-2014-1893 CVE-2014-1894 This only affects XSM/FLASK which is not enabled xen: CVE-2014-1896 CVE-2014-1895 This only affects Xen 4.2 and later ffmpeg: CVE-2011-3935 (CVE ID was only recently assigned) The vulnerable code was introduced later openssh: CVE-2014-1692 This is an experimental feature which is not enabled in Debian/UCS
liblivemedia: CVE-2013-6933 CVE-2013-6934 The affected code was introduced later. gnutls26: CVE-2014-1959 This only affects GNU TLS 2.11 and later, the version in UCS 3.x is not affected. php5: CVE-2013-7226 The affected code was introduced in PHP 5.5.0
rails: CVE-2014-0080 This only affects rails 4.x maradns: CVE-2014-2031 CVE-2014-2032 The Deadwood resolver isn't enabled in the Debian/UCS package. openswan: CVE-2014-2037 The broken fix was never shipped.
Linux: CVE-2013-4737 This affcted code isn't present in the standard Linux kernel Linux: CVE-2012-6638 (only recently assigned) This fix was backported to 3.2.24 which is already present in the kernel in UCS 3.1. UCS 3.2 has been fixed from the initial release as well. Linux: CVE-2014-2039 This issue is specific to s390. Linux: CVE-2014-2038 This issue was introduced in 3.11
php5: CVE-2013-7327 CVE-2013-7328 CVE-2014-2020 The affected code was introduced in PHP 5.5
gnutls: CVE-2009-5138 (only assigned yesterday) This already fixed in version 2.7.6 and thus doesn't affect the GNU TLS releases in UCS 3.x
libpng: CVE-2014-0333 Thus only affects libpng 1.6.x
Linux: CVE-2014-0102 This issue was introduced in 3.13, so no UCS kernel is affected. nginx: CVE-2014-0088 This only affects 1.5.10 ffmpeg: CVE-2014-2099 CVE-2014-2098 CVE-2014-2097 The affected code isn't present yet. Wireshark: CVE-2014-2283 CVE-2014-2282 The affected code isn't present yet. libstruts1.2-java: CVE-2014-0094 This only affects Struts 2.x puppet: CVE-2013-4971 CVE-2013-4966 Only affects Puppet Enterprise openssl: CVE-2014-2234 This is caused by an Apple-specific patch
stunnel4: CVE-2014-0016 The Debian/UCS package is not affected, is uses threading instead of forking connections. freetype: CVE-2014-2240 CVE-2014-2241 The affected code was introduced in 2.5 libspring-java: CVE-2014-0097 The Active Directory authentication code was introduced in 3.1.x
php5: CVE-2014-2497 The affectde function isn't enabled in the Debian build. moodle: CVE-2014-0122 CVE-2014-0124 CVE-2014-0125 CVE-2014-0127 CVE-2014-0129 The affected code isn't present yet curl: CVE-2014-2522 This issue is Windows-specific chromium-browser: CVE-2014-1714 This is Windows-specific nginx: CVE-2014-0133 The affected code isn't present in UCS 3.x Firefox: CVE-2014-1494 CVE-2014-1498 CVE-2014-1499 CVE-2014-1500 CVE-2014-1502 CVE-2014-1504 These issues only affect Firefox > 24 (i.e. not the ESR series) Firefox: CVE-2014-1496 This only affects the Firefox update mechanism which isn't used in UCS. Firefox: CVE-2014-1501 CVE-2014-1506 These only affect Firefox on Android
Python: CVE-2013-7338 This only affects Python 3.x Xen: CVE-2014-2580 This is only exploitable with a Linux kernel >= 3.12 vnc4: CVE-2014-0011 This is only exploitable in a non-standard debug mode.
puppet: CVE-2013-4965 CVE-2013-1399 CVE-2013-1398 CVE-2012-5158 This only applies to Puppet Enterprise, not the open source version. net-snmp: CVE-2014-2285 This is only exploitable with old Perl versions, the Perl package in UCS 3.x is not affected. net-snmp: CVE-2014-2284 This only affects 5.5 and later.
curl: CVE-2014-1263 This only applies to Curl using the MacOS crypto libs puppet: CVE-2013-4963 This only affects Puppet Enterprise Python: CVE-2014-2667 This only affects Python 3.x Linux: CVE-2014-2673 This only affects the PowerPC architecture
cups / cups-filters: CVE-2014-2707 The vulnerable code isn't present yet Linux: CVE-2013-7348 This was introduced in 3.13
openssl: CVE-2014-0160 This only affects 1.0.1 and later
Linux: CVE-2014-2739 This was introduced and fixed during the 3.14 development cycle.
qemu-kvm: CVE-2013-4544 The affected driver was introduced in 1.4 cifs-utils: CVE-2014-2830 The affected PAM module was introduced in 6.3 rsync: Use CVE-2014-2855 The affected code isn't present yet OpenJDK: CVE-2014-2410 CVE-2014-2422 The affected code (JavaFX) is only part of Oracle Java, not OpenJDK OpenJDK: CVE-2014-0455 CVE-2014-0454 CVE-2014-2402 CVE-2014-0463 CVE-2014-0464 CVE-2014-2413 These issues only affect Java 7/8 OpenJDK: CVE-2014-0448 CVE-2014-2428 CVE-2014-2409 CVE-2014-0449 CVE-2014-2420 The Deployment components are not part of OpenJDK.
mysql-5.1: CVE-2014-2444 CVE-2014-2436 CVE-2014-2440 CVE-2014-2434 CVE-2014-2435 CVE-2014-2442 CVE-2014-2450 CVE-2014-2419 CVE-2014-0384 CVE-2014-2430 CVE-2014-2451 CVE-2014-2438 CVE-2014-2432 CVE-2014-2431 These issues only affect MySQL 5.5 and/or 5.6
libpng: CVE-2013-7353 CVE-2013-7354 This only affects libpng 1.5 and later. qemu-kvm: CVE-2013-4544 CVE-2014-0148 This was introduced in 1.4 or 1.5 openjdk6: CVE-2014-0432 CVE-2014-2401 These issues are specific to Oracle Java and don't affect OpenJDK. openssl: CVE-2010-5298 The affected code isn't present yet (and it is only exploitable if OpenSSL is built with OPENSSL_NO_BUF_FREELIST which makes it used the malloc implementation from glibc. Linux: CVE-2014-2889 This was fixed upstream in Linux 3.2, so all maintained UCS releases are covered.
Xen: CVE-2014-2915 CVE-2014-2986 These issues are arm-specific Wireshark: CVE-2014-2907 This only affects Wireshark 1.10.x fish: CVE-2014-2914 The affected code is not yet present mediawiki: CVE-2014-2853 The affected code was introduced later. Firefox: CVE-2014-1519 CVE-2014-1522 CVE-2014-1525 CVE-2014-1492 CVE-2014-1526 This only affects later Firefox releases Firefox: CVE-2014-1520 CVE-2014-1528 This is Windows-specific Firefox: CVE-2014-1527 This is Android-specific
Xen: CVE-2014-3125 This is specific to ARM libstruts1.2-java: CVE-2014-0094 CVE-2014-0112 CVE-2014-0113 This only affects Struts 2.x OpenSSL: CVE-2014-0198 The affected code was introduced later. netty: CVE-2014-0193 The affected code was introduced later.
struts: CVE-2014-0116 This only affects struts 2.x emacs23: CVE-2014-3421 CVE-2014-3422 CVE-2014-3423 CVE-2014-3424 The tempfile hardening available in the Linux kernels in 3.1 and 3.2 prevents these from being exploitable. Bind: CVE-2014-3214 The affected functionality isn't present yet in UCS 3.x policycoreutils: CVE-2014-3215 seunshare is not built/enabled in Debian and thus UCS.
Linux: CVE-2012-6647 This is already fixed in UCS 3.1 and UCS 3.2 Xen: CVE-2014-3714 CVE-2014-3715 CVE-2014-3716 CVE-2014-3717 These only affect ARM torque: CVE-2014-0749 This only affects 2.5 and later.
Linux: CVE-2012-6647 This is already fixed in UCS 3.1 and UCS 3.2 Xen: CVE-2014-3714 CVE-2014-3715 CVE-2014-3716 CVE-2014-3717 These only affect ARM torque: CVE-2014-0749 This only affects 2.5 and later. moodle: CVE-2014-0218 CVE-2014-0217 CVE-2014-0214 CVE-2014-0213 The affected code isn't present in the version in UCS 3.x VLC: CVE-2014-3441 This is specific to VLC on Windows xemacs21: CVE-2014-3422 CVE-2014-3424 The affected code isn't present in Xemacs exim4: CVE-2014-2957 This only affects Exim 4.82 when compiled with an experimental option.
GNU TLS: CVE-2014-3465 This only affects GNU TLS 3.0 and later Samba: CVE-2014-0239 The internal DNS server isn't used in UCS, we use Bind instead.
php5: CVE-2014-0185 The FPM module is only built in later PHP releases. tomcat6: CVE-2014-0095 This only affects Tomcat 8. directfb: CVE-2014-2977 CVE-2014-2978 The affected code was introduced later.
Xen: CVE-2014-3968 CVE-2014-3967 These only affect Xen 4.2 and later Xen: CVE-2014-3969 This only affects Xen on ARM. Ruby: CVE-2014-3916 This is only exploitable on Windows zookeeper: CVE-2014-0085 This CVE is for the integration of zookeeper into Fuse Fabric from Red Hat PHP: CVE-2014-3981 This is only exploitable during the package build. nagios-nrpe: CVE-2014-2913 This only affects an inherently insecure option (which cannot be configued in UCS anway without modifying the UCR template)
puppet: CVE-2014-3249 This only affects Puppet Enterprise Firefox: CVE-2014-1534 CVE-2014-1536 CVE-2014-1537 CVE-2014-1540 CVE-2014-1542 These issues don't affect Firefox 24 ESR Firefox: CVE-2014-1539 Specific to Mac OS X Firefox: CVE-2014-1543 Specific to Windows 8
puppet: CVE-2014-3250 This is only exploitable with Apache 2.4, which is not in UCS 3.2 openafs: CVE-2014-4044 This was introduced in 1.6.8 asterisk: CVE-2014-4045 CVE-2014-4048 CVE-2014-4046 This only affects 11.x / 12.x wireshark: CVE-2014-4020 The vulnerable code isn't present yet netty: CVE-2014-3488 The vulnerable code was introduced later
bind: CVE-2014-3859 The affected code was introduced later. Linux: CVE-2014-4157 This is MIPS-specific Linux: CVE-2014-4611 LZ4 compression was introduced in 3.11. Linux: CVE-2014-0203 This was fixed a long time ago in Linux 2.6.33 and is thus fixed in all UCS kernels since UCS 3.0 kde4libs: CVE-2014-3494 The vulnerable code was introduced later. cups: CVE-2014-4336 CVE-2014-4337 The vulnerable code was introduced later. wireshark: CVE-2014-4174 This only affects later releases. file: CVE-2014-0236 The affected code was introduced in 5.18
(In reply to Moritz Muehlenhoff from comment #329) > file: CVE-2014-0236 > > The affected code was introduced in 5.18 php5 in UCS 3.2 is also not affected (filemagic uses a local copy)
Xen: CVE-2014-4022 This only affects Xen on ARM nagios-plugins: CVE-2014-4703 CVE-2014-4702 CVE-2014-4701 This is only exploitable with the plugins installed setuid root, which is not the case in UCS/Debian. xserver-xorg-video-intel: CVE-2014-4910 The vulnerable code was introduced later. openjdk-6: CVE-2014-4227 CVE-2014-4247 CVE-2014-4265 CVE-2014-4220 CVE-2014-4208 These components are only available in Oracle Java, not OpenJDK openjdk-6: CVE-2014-2490 CVE-2014-4266 This only affects Java 7 mysql-5.1: CVE-2014-2484 CVE-2014-4258 CVE-2014-2494 CVE-2014-4238 CVE-2014-4207 CVE-2014-4233 CVE-2014-4240 CVE-2014-4214 CVE-2014-4213 This only affects later MySQL releases
rawstudio: CVE-2014-4978 The vulnerable code isn't present yet php5: CVE-2014-4698 CVE-2014-4670 This is only exploitable by malicious scripts and thus not covered by the Debian/UCS PHP security policy. openjdk-6: CVE-2014-2483 CVE-2014-4221 CVE-2014-4223 CVE-2014-4264 These only affect Java 7, but not Java 6. ipython: CVE-2014-3429 The affected websocket code is not yet present. apache2: CVE-2014-0117 This only affects 2.4.6 to 2.4.9
moodle: CVE-2014-3550 CVE-2014-3551 This only affects more recent versions lighttpd: CVE-2014-2469 Specific to Solaris phpmyadmin: CVE-2014-4955 CVE-2014-4987 The affected code was introduced later libpph-snoopy: CVE-2014-5009 The broken patch was never applied apache2: CVE-2014-3523 This is Windows-specific Linux: CVE-2014-3534 This is specific to zSeries Firefox: CVE-2014-1548 CVE-2014-1549 CVE-2014-1550 CVE-2014-1561 CVE-2014-1558 CVE-2014-1559 CVE-2014-1560 CVE-2014-1552 This only affects Firefox releases after 24 ESR Firefox: CVE-2014-1551 This only affects Firefox on Windows
subversion: CVE-2013-2088 CVE-2013-7393 CVE-2013-4262 The affected tools are not installed into the binary packages. GCC: CVE-2014-5044 This fix doesn't affect UCS directly. since no Fortran code is used. A full fix would require to recompile all affected packages anyway. This will be fixed in future UCS releases with a newer version of Gfortran. phpmyadmin: CVE-2014-4954 The affected code isn't present yet apache2: CVE-2013-4352 This only affects more recent releases.
xen: CVE-2014-5148 CVE-2014-5147 This affects only ARM subversion: CVE-2014-3522 UCS is not affected, since it links against neon instead of libserf.
Linux: CVE-2014-2580 The affected code was introduced in 3.12 Linux: CVE-2014-5206 CVE-2014-5207 The affected functionality (username spaces) is only usable starting with 3.12 ganeti: CVE-2014-5247 The affected code was introduced later. libaml-dt-perl: CVE-2014-5260 The affected code was introduced later. qemu-kvm: CVE-2014-5263 The affected code was introduced in 1.6.0 subversion: CVE-2014-3522 This is only theoretically exploitable. rails: CVE-2014-3514 This only affects more recent versions
python-imaging: CVE-2014-3598 The affected code was introduced later openoffice: CVE-2014-3575 CVE-2014-3574 This only affects OpenOffice on Windows
php5: CVE-2014-5120 The vulnerable code was introduced later. gd2: CVE-2014-5120 This is specific to the integration of GD in PHP, the generic gd2 is not affected. Firefox: CVE-2014-1553 CVE-2014-1554 CVE-2014-1563 CVE-2014-1564 CVE-2014-1565 These only affect later releases. Firefox: CVE-2014-1566 This only affects Firefox on Android openoffice.org: CVE-2014-3524 This only affects Windows
dhcpcd: CVE-2014-6060 This only affects later releases ( >= 4) ckeditor: CVE-2014-5191 The affected code isn't present yet Linux: CVE-2014-0972 The affected driver is not part of the mainline kernel as used in UCS haproxy: CVE-2014-6269. The affected code was introduced later xen: CVE-2014-6268 This only affects Xen 4.4 and later
pdns-recursor: CVE-2014-3614 This only affects release 3.6.0 tomcat6: CVE-2013-4444 This only affects Tomcat 7 Linux: CVE-2014-0205 CVE-2014-3535 These issues have been fixed in 2.6.36 and 2.6.37, so the kernel in the currently supported UCS release is not affected ace: CVE-2014-6311 The affected script is not installed into the DEB packages, only present in the source. chicken: CVE-2014-6310 This only affects the Android platform
phpmyadmin: CVE-2014-6300 The affected code isn't present yet wireshark: CVE-2014-6425 CVE-2014-6426 The affected code was introduced later Linux: CVE-2014-3631 The affected code was introduced in 3.13 twisted: CVE-2014-7143 The affected code was introduced in 14.0
suricata: CVE-2014-6603 The affected code is not yet present libvirt: CVE-2013-4154 The affected code was introduced later (1.1.0)
Linux: CVE-2014-7284 The vulnerability was introduced in 3.13 and fixed in 3.16 phpmyadmin: CVE-2014-7217 The affected code was introduced later apt: CVE-2014-7206 Th affected command was introduced later. chromium-browser: CVE-2014-3196 This only affects Windows
phpmyadmin: CVE-2014-5273 CVE-2014-5274 The vulnerable code was introduced later libvirt: CVE-2014-3657 The affected code was introduced later (0.10)
php5: CVE-2014-3622 The issue is not exploitable in the version used in UCS
Firefox: CVE-2014-1575 CVE-2014-1580 CVE-2014-1582 CVE-2014-1584 These issues only affect Firefox 32 and later OpenJDK: CVE-2014-6513 This issue is specific to Windows OpenJDK: CVE-2014-6532 CVE-2014-6503 CVE-2014-6456 CVE-2014-6492 CVE-2014-6493 CVE-2014-4288 CVE-2014-6466 CVE-2014-6458 CVE-2014-6476 CVE-2014-6515 CVE-2014-6527 The deployment components are not part of OpenJDK, only in Oracle Java OpenJDK: CVE-2014-6562 CVE-2014-6519 These issues are specific to Java 7 and/or Java 8 and don't affect Java 6 as shipped in UCS
openssl: CVE-2014-3513 The affected code was introduced in 1.0.1
mysql-5.1: CVE-2014-6507 CVE-2014-6491 CVE-2014-6500 CVE-2014-6469 CVE-2014-0224 CVE-2014-6530 CVE-2014-6555 CVE-2014-6489 CVE-2012-5615 CVE-2014-6559 CVE-2014-6494 CVE-2014-6496 CVE-2014-6495 CVE-2014-6478 CVE-2014-4274 CVE-2014-4287 CVE-2014-6520 CVE-2014-6484 CVE-2014-6464 CVE-2014-6564 CVE-2014-6474 CVE-2014-6463 CVE-2014-6551 These vulnerabilities only affect 5.5 and/or 5.6
hostapd: CVE-2014-3686 The vulnerable code was introduced later wireshark: CVE-2014-6421 The vulnerable code was introduced later
libvpx: CVE-2014-1578 The affected codec as introduced later linux: CVE-2014-8480 CVE-2014-8481 The KVM issues were introduced in 3.17
apache2: CVE-2014-3581 This only affects Apache 2.4 Linux: CVE-2014-7207 This only affects the 3.2 Debian kernel Linux: CVE-2014-8369 The faulty patch was never applied to the UCS 3.2 kernel
smarty: CVE-2014-8350 This only affects Smarty 3.x openoffice.org: CVE-2014-3693 This only affects Libreoffice 4.0 and later libvirt: CVE-2014-7823 The affected code was introduced in 1.0.0 polarssl: CVE-2014-8627 This was introduced in 1.3.8 cairo: CVE-2014-5116 This was been described as a Cairo vulnerability, but it is in fact a non-security bug in Wireshark.
gnutls26: CVE-2014-8564 Support for ECC has only been added in a later version
gnutls26: CVE-2014-8564 Support for ECC has only been added in a later version Linux: CVE-2014-7843 This only affects arm64
mantis: CVE-2014-8987 The affected code was introduced later tcpdump: CVE-2014-8768 The affected code was introduced later (in 4.5) Linux: CVE-2014-7843 This only affects ARM64 openssl: CVE-2014-3569 The affected build option (CVE-2014-3569) isn't used in the openssl builds in UCS 3.2 and 4.0
asterisk: CVE-2014-8413 CVE-2014-8415 CVE-2014-8416 CVE-2014-6609 The affected code was introduced later (Asterisk 11 or 12) zendframework: CVE-2014-4913 This only affects Zend Framework 2 ffmpeg (UCS 3.x) / libav (UCS 4.x): CVE-2014-8549 CVE-2014-8542 The vulnerable code was introduced later mountall: CVE-2014-1421 This only affects systems running a mount binary from util-linux > 2.20 python-pip: CVE-2014-8991 This only affects more recent versions dpkg: CVE-2014-8625 The dpkg package in UCS 3.2 doesn't contain the regression yet. In UCS 4.0 the bug is rendered non-exploitable by D_FORTIFY_SOURCE
canto: CVE-2013-7416 The affected code was introduced later and is not present in UCS 3.2/4.0 libimobiledevice: CVE-2013-2142 The affected code was introduced later and is not present in UCS 3.2/4.0 xen: CVE-2014-4883 This only affects Xen as packaged in Fedora kde-workspace: CVE-2014-8651 This is not exploitable in the Debian/UCS configuration (compared to Ubuntu), since the user needs to authenticate in Debian/UCS to change the time.
miniupnpc: CVE-2014-3985 The vulnerable code was introduced later Firefox: CVE-2014-1595 This only affects Firefox running on MacOS X. Firefox: CVE-2014-1591 CVE-2014-1588 This only affects Firefox 33. Linux: CVE-2014-8709 This issue was fixed in upstream 3.14, so UCS 4.0 wasn't affected at all. The patch was added to the 3.10.32 long term kernel, which was merged in errata 134 for UCS 3.2
antiword: CVE-2014-8123 This has already been fixed in the Debian package back in 2009, so the versions in UCS 3.2 and 4.0 are fixed. Firefox: CVE-2014-8631 CVE-2014-8632 CVE-2014-1589 These only affect Firefox 33 openssh: CVE-2014-9278 This only affected a Fedora-specific patch which isn't in Debian/UCS
apache2: CVE-2014-8109 The vulnerable code is only present in Apache 2.4.x bind9: CVE-2014-8680 The affected code was introduced in 9.10 xorg-server: CVE-2014-8103 xen: CVE-2014-9065 CVE-2014-9066 This only affects 4.2 and later libstruts1.2-java: CVE-2014-7809 This only affects Struts 2 (not packaged in Debian) libvirt: CVE-2014-5177 This is not exploitable in the version in UCS 3.2 and 4.0 already has the patch since the initial release.
libav: CVE-2014-9319 CVE-2014-9318 CVE-2014-9317 The affected code was introduced later asterisk: CVE-2014-9374 The affected code was introduced later libvirt: CVE-2014-8131 The affected code was introduced later (1.2.9) krb5: CVE-2014-5354 This only affects MIT Kerberos 1.12 and later php5: CVE-2014-8142 The affected feature is documented to be insecure when used with untrusted input. openssh: CVE-2014-8475 This is a FreeBSD-specific packaging problem.
emacs23: CVE-2014-9483 This only affects Emacs 24 rabbitmq-server: CVE-2014-9494 The affected feature was introduced later (3.4.0) php5: CVE-2014-9426 The vulnerable code is not yet present file: CVE-2014-9426 This is limited to filemagic from PHP Linux: CVE-2014-4322 This driver is specific to Android mongodb: CVE-2014-3971 The affected feature was introduced later (2.6)
php5: CVE-2014-9425 The affected feature (ZTS) is not enabled in Debian/UCS. Linux: CVE-2014-4323 This driver is specific to Android puppet: CVE-2014-9355 This only affects Puppet Enterprise libvirt: CVE-2014-8135 The affected code was introduced in 1.2.8 libvirt: CVE-2014-8131 The affected code was introduced in 1.2.9
xen: CVE-2015-0361 This only affects Xen 4.2 and later libpng: CVE-2014-9495 This is not exploitable in the versions in UCS 3/4, since limits are in place which prevent such oversized images. qemu-kvm: CVE-2014-3471 The affected feature is not yet present in UCS 3/4
lucene-solr: CVE-2014-3628 The affected code was introduced later (in solr 4.0) curl: CVE-2014-8151 This only affects curl when using darwinssl/MacOS libpng: CVE-2015-0973 This only affects later libpng releases (1.5 and later)
Firefox: CVE-2014-8635 CVE-2014-8637 CVE-2014-8640 CVE-2014-8642 CVE-2014-8636 This only affects later releases than 31.x Firefox: CVE-2014-8642 This only affects Windows vala (in UCS 3.2) / vala-0.14 (UCS 4.0) / vala-0.16 (UCS 4.0): CVE-2014-8154 The affected code was introduced later.
patch: CVE-2015-1196 Support for the affected feature (git-style patches) was only added in 2.7, which isn't in UCS 3.2/4.0 ffmpeg/libav: CVE-2014-9602 The affected code is only present in later ffmpeg releases. php5: CVE-2014-9620 CVE-2014-9621 The affected code was introduced later. file: CVE-2014-9621 The affected code was introduced later. trafficserver: CVE-2014-10022 This only affects 5.0 and later
libxml-security-java: CVE-014-8152 The affected feature was introduced in Santuario 2.0 OpenJDK: CVE-2014-6549 CVE-2015-0437 CVE-2015-0421 This only affects Java 8 OpenJDK: CVE-2015-0403 CVE-2015-0406 The Deployment components are not part of OpenJDK as used in UCS; they are only present in Oracle Java. OpenJDK: CVE-2015-0400 This only affects Java on Windows VirtualBox: CVE-2015-0427 CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 The affected code was introduced later in 4.3 MySQL: CVE-2015-0409 CVE-2015-0385 These vulnerabilities only affect MySQL 5.6
(In reply to Moritz Muehlenhoff from comment #367) > patch: CVE-2015-1196 > > Support for the affected feature (git-style patches) was only added in 2.7, > which isn't in UCS 3.2/4.0 The fix introduced another vulnerability (CVE-2015-1396), which consequently also doesn't affect UCS 3.2/4.0.
vlc: CVE-2014-9625 The affected auto-updater is not enabled in the Debian/UCS build. libav/ffmpeg: CVE-2014-9597 CVE-2014-9598 The bugs were initially reported against VLC/Windows, but they cannot be reproduced with the UCS/Debian builds (which use the system lib of ffmpeg (3.2) or libav (4.0) privoxy: CVE-2015-1380 The affected code was introduced in a later version (3.0.20) wireshark: CVE-2015-0559 CVE-2015-0560 CVE-2015-0561 CVE-2015-0563 These issues only affect later releases (1.10 and above and 1.8.9) php5: CVE-2015-0231 The patch which introduced the regression wasn't applied to UCS 3.2 or UCS 4.0 php5: CVE-2015-1353 That's a standard bug and not security-relevant.
php5: CVE-2015-1351 The affected extension (opcache) was introduced in 5.5 Java: CVE-2014-8891 CVE-2014-8892 These are specific to IBM Java and don't apply to OpenJDK PostgreSQL: CVE-2015-0242: This is Windows-specific. activemq: CVE-2014-8110 The admin console is not enabled in the Debian package zeromq: CVE-2014-7203 CVE-2014-7204 These only affect ZeroMQ 4, not 3.x patch: CVE-2015-1395 The affected feature was introduced in patch 2.7, so UCS 3/4 is not affected. grep: CVE-2015-1345 The affected code was added in 2.18, so UCS 3.2 and 4.0 are not affected.
node-serve-static: CVE-2015-1164 elasticsearch: CVE-2015-1427 (only jessie and later releases)
unzip: CVE-2015-1315 (*-unzip60-alt-iconv-utf8 patch not applied in Debian)
chromium-browser: CVE-2014-9648 This only affects Chrome/Android chromium-browser: CVE-2014-9646 This only affects Chrome/Windows asterisk: CVE-2015-1558 This only affects 12.x and 13.x, Xen: CVE-2015-1563 This only affects Xen on ARM Linux kernel: CVE-2012-6689 (only recently assigned) The fix was already merged in a 3.2.x point release (3.2.30), so UCS 3.1 is fixed. The upstream fix was in 3.6, so UCS 3.2 and 4.0 are fixed as well. The kernel in 2.4 is affected, but it's not severe enough per the guidelines for extended support.
jetty: CVE-2015-2080 The vulnerable code was introduced later wireshark: CVE-2015-2187 CVE-2015-2189 CVE-2015-2190 CVE-2015-2192 This only affects the 1.12 series
Linux: CVE-2015-0274 This was introduced in 3.11 and fixed in 3.15, so no UCS kernel is affected squid3: CVE-2015-0881 This was fixed five years ago in 3.1.1, so all UCS releases are fixed.
firefox: CVE-2015-0819 CVE-2015-0820 CVE-2015-0821 CVE-2015-0823 CVE-2015-0824 CVE-2015-0825 CVE-2015-0826 CVE-2015-0828 CVE-2015-0829 CVE-2015-0830 CVE-2015-0832 CVE-2015-0833 CVE-2015-0834 rsync: CVE-2014-9512 (only in jessy)
cups-filters: CVE-2015-2265 The vulnerable code isn't present yet in UCS 4.0 (followup to CVE-2014-2707)
nova: CVE-2015-0259 The affected code isn't present in the version in UCS 4.0 yet. lasso: CVE-2015-1783 The affected code was introduced later (2.4.0) pngcrush: CVE-2015-2158 The vulnerability was introduced in a later release. dokuwiki: CVE-2015-2172 The vulnerability was introduced in a later version
apache2: CVE-2015-0228 The affected mod_lua has been introduced in a more recent version (apache 2.4) requests: CVE-2015-2296 Vulnerable code introduced in a more recent version (requests 2.1.0).
autofs: CVE-2014-8169 The affected code was introduced later (5.0.8) and the package is unmaintained.
openssl: CVE-2015-0207 CVE-2015-0208 CVE-2015-0290 CVE-2015-0291 CVE-2015-1787 The affected code was introduced later (1.0.2). openssl: CVE-2015-0293 (SSLv2 disabled in Debian)
libspring-java: CVE-2015-0201 The affected code was introduced later (in 4.1.0) texlive-base: CVE-2015-0296 This is a Red Hat-specific packaging flaw. kexec-tools: CVE-2015-0267 The affected script is not shipped in the Debian/UCS packages. glusterfs: CVE-2015-1795 This is a Red Hat-specific packaging flaw. Xen: CVE-2015-0268 This only affects Xen 4.5
Linux: CVE-2015-2686 This was introduced in 3.19, so no UCS release is affected.
glusterfs: CVE-2014-3619 This was introduced in a later version that 3.2. wss4j: CVE-2015-0226 CVE-2015-0227 The affected code was introduced in a later version
php5: File sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (php5-fpm) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client (CVE-2014-0185). This is only exploitable by malicious scripts and thus not covered by the Debian/UCS PHP security policy.
cups-filters: CVE-2013-6473 CVE-2014-4338 Version in UCS 4.0 does not contain the code and it was not present earlier. jbigkit: CVE-2013-6369 Version included in UCS 4.0 is already fixed.
ffmpeg: CVE-2014-5271 - Vulnerable code not present openldap: CVE-2014-9713 - We are not using the default configuration
firefox: CVE-2012-2808 CVE-2015-0800 CVE-2015-0802 CVE-2015-0803 CVE-2015-0804 CVE-2015-0805 CVE-2015-0806 CVE-2015-0808 CVE-2015-0810 CVE-2015-0811 CVE-2015-0812 CVE-2015-0814 These only affect Firefox releases later than 31.5
firefox: CVE-2015-0799 -> Affects only Firefox release 37.0
curl: CVE-2015-3144 CVE-2015-3145 (doesn't affect version in UCS 4.0-x and earlier) firefox/iceweasel: CVE-2015-2706 -> Affects only Firefox release 37.0 wpa: CVE-2015-1863 (Binary packages built for UCS 4.0 are not affected since WiFi P2P is disabled) pdns/pdns-recursor: CVE-2015-1868 (only later versions than shipped with UCS 4.x and also unmaintained
qemu: CVE-2015-1779 (Websocket protocol support introduced in v1.4.0-rc0)
apache2: CVE-2015-0253 (only in version 2.4.11, never shipped) icecast2: CVE-2015-3026 (not affected and unmaintained) linux: CVE-2015-2672 (Introduced in v3.17-rc1)
firefox: CVE-2015-2709 CVE-2015-2711 CVE-2015-2712 CVE-2015-2714 CVE-2015-2715 CVE-2015-2717 CVE-2015-2718 CVE-2015-2720 (all only Firefox 38) CVE-2011-3079 (only Windows) squid/squid3: CVE-2015-3455 Only affects custom builds with --enable-ssl (disabled for license purposes in Debian)
qemu / qemu-kvm: CVE-2014-9718 (not a security issue) CVE-2015-1779 (Websocket protocol support introduced in v1.4.0-rc0), CVE-2015-2756 (Vulnerable code not present)
subversion: CVE-2014-8108 CVE-2015-0202 (only affects later versions than shipped with UCS 4.0) wireshark: CVE-2015-3815 (android logcat)
libav: CVE-2015-3417 (Not yet present in UCS 4.0)
Xen: CVE-2015-4163 (Xen 4.2 onwards are vulnerable) wpa: CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146 (Code not yet active in UCS 4.0) curl: CVE-2015-3236 CVE-2015-3237 (Code not yet present in UCS 4.0) pcre3: CVE-2015-2326 (Code not present)
firefox/iceweasel: CVE-2015-2729 CVE-2015-2727 CVE-2015-2731 CVE-2015-2741 (Affects only Firefox release 38 and later)
openssl: CVE-2015-1793 https://openssl.org/news/secadv_20150709.txt Vulnerable code not present yet in UCS 4.0-2 (errata4.0-1 shipped 1.0.1e-2+deb7u16).
xorg-server: CVE-2015-3164 (XWayland not present) wireshark: CVE-2015-4651 CVE-2015-4652 (Vulnerable code not present) libvpx: CVE-2015-1258 (vp9 code not present yet) linux: CVE-2015-4692 (Vulnerable code not present) CVE-2015-4001 CVE-2015-4002 CVE-2015-4003 CVE-2015-4004 (Not enabled in Debian kernels and ozwpan driver also not present prior to UCS 4.0) CVE-2015-1328 (Ubuntu specific)
linux: CVE-2014-8171 memcg: OOM handling DoS (kernel parameter required to enable memcg and fix too difficult and risky to backport) linux: CVE-2015-4170: Already fixed in UCS 3.2 Kernel OpenJDK: CVE-2015-2659 GCM cipher issue causing JVM crash (openjdk-8 only) OpenJDK: CVE-2015-4729 CVE-2015-4736: (Deployment components not part of OpenJDK, only present in Oracle Java) OpenJDK: CVE-2015-2597 (MacOS only) qemu-kvm and xen: CVE-2015-5154 Code not yet present in UCS 4.0-2
lbtasn1-6: CVE-2015-3622 docker.io: CVE-2015-3631 (code not yet present) qemu/qemu-kvm: CVE-2015-5158 (Vulnerable code not present) apache2: CVE-2015-3185 - Code not present in UCS 3.x / 4.0 firefox/iceweasel: CVE-2015-4495 - Vulnerability isn't present in the current 31 ESR
CVE-2015-5166 / XSA-139: xen-qemu-traditional is not vulnerable CVE-2015-6654 / XSA-141: arch=arm only, so not vulnerable
firefox: CVE-2015-4481 (Windows only) CVE-2015-4491 (Gnome only) CVE-2015-4473 (38.1 and 39 only) CVE-2015-4474 (39 only) CVE-2015-4505 CVE-2015-7178 CVE-2015-7179 (Windows only) php5: CVE-2015-4642 (Windows specific) mysql-5.5: CVE-2015-2661 CVE-2015-2617 CVE-2015-2611 CVE-2015-2639 CVE-2015-4772 CVE-2015-4767 CVE-2015-4757 CVE-2015-4761 CVE-2015-4771 CVE-2015-2641 CVE-2015-4769 (v. 5.6 only)
firefox: CVE-2015-4501 CVE-2015-4502 CVE-2015-4504 CVE-2015-4507 CVE-2015-4508 CVE-2015-4510 CVE-2015-4512 CVE-2015-4516 (Version in UCS 4.0.x not affected)
pcre3: CVE-2015-3210 (Vulnerable code introduced later) sqlite3: CVE-2013-7443 (Vulnerable code introduced in 3.8.2) devscripts: CVE-2015-5705 (Vulnerable code not present) xen: CVE-2015-5166 (Vulnerable code not present) subversion: CVE-2015-3184 (1.6 does not build with apache 2.4) linux: CVE-2015-6526 (PowerPC 64 only) vlc: CVE-2015-5949 (Vulnerability introduced by later changes) firefox: CVE-2015-4477 CVE-2015-4490 (Only affects Firefox 39) firefox: CVE-2015-4502 CVE-2015-4510 CVE-2015-4512 CVE-2015-4507 CVE-2015-4504 CVE-2015-4516 CVE-2015-4501 CVE-2015-4508 (Affects only 40.x) firefox: CVE-2015-7184 (Affects only 41.0) roundcube: CVE-2015-5381 CVE-2015-5382 (unmaintained, Vulnerable code not present) qemu: CVE-2015-3214 CVE-2015-5154 CVE-2015-5165 CVE-2015-5225 CVE-2015-5745 CVE-2015-5278 CVE-2015-5279 CVE-2015-6815 CVE-2015-6855 (maintained binary-packages "qemu-keymaps" and "qemu-utils" are not affected). xen-4.1: CVE-2015-6654/XSA-141 (affects only arm and code not yet in UCS 3.2-x) wireshark: CVE-2015-6241 CVE-2015-6242 CVE-2015-6243 CVE-2015-6244 CVE-2015-6245 CVE-2015-6246 CVE-2015-6247 CVE-2015-6248 CVE-2015-6249 (Vulnerable code introduced in 1.12.0) nodejs: CVE-2015-7384 (Vulnerability not present)
gcc-4.9: CVE-2015-5276 mysql-5.5: CVE-2015-4730 CVE-2015-4766 CVE-2015-4791 CVE-2015-4800 CVE-2015-4833 CVE-2015-4862 CVE-2015-4866 CVE-2015-4890 CVE-2015-4895 CVE-2015-4904 CVE-2015-4905 CVE-2015-4910 (mysql-5.6 only) mysql-5.5: CVE-2015-4807 (Windows only) mysql-5.5: CVE-2016-0503 CVE-2016-0504 CVE-2016-0595 CVE-2016-0607 CVE-2016-0610 CVE-2016-0611 (mysql-5.6 only) nodejs: CVE-2015-6764 CVE-2015-8027 (0.10.x versions not affected) openssl: CVE-2015-3193 (Only affects version 1.0.2) subversion: CVE-2015-5259 (affects only 1.9.0 through 1.9.2) CVE-2015-5343 (Code not present) bind9: CVE-2015-8461 (Code not yet present) CVE-2015-3193 (Code not yet present) postgresql-9.1: CVE-2015-5289 <not-affected> (no json datatype) libxml2: CVE-2015-8242 <not-affected> (Vulnerable code introduced later) perl: CVE-2015-8607 <not-affected> (Vulnerable code introduced later) openjdk: CVE-2016-0546 (only affects openjdk-8) firefox: CVE-2015-7195 CVE-2015-4515 CVE-2015-4514 CVE-2015-7187 CVE-2015-4518 (firefox 42.x only) firefox: CVE-2016-1931 CVE-2016-1933 CVE-2016-1937 CVE-2016-1938 CVE-2016-1939 CVE-2016-1942 CVE-2016-1944 CVE-2016-1945 CVE-2016-1946 CVE-2016-1947 (firefox 43.x only)
nettle: CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 (Vulnerable code not present in UCS 4.[0,1]) qemu: CVE-2015-7549 CVE-2015-8567 CVE-2015-8568 CVE-2015-8613 CVE-2015-8619 CVE-2015-8701 CVE-2015-8744 CVE-2015-8745 CVE-2016-2197 CVE-2016-2198 CVE-2016-2858 (Vulnerable code not present in UCS 3.x and 4.[0,1]) firefox: CVE-2016-1949 (Only affects Firefox 43.x) CVE-2016-1953 CVE-2016-1955 CVE-2016-1956 CVE-2016-1959 CVE-2016-1963 CVE-2016-1967 CVE-2016-1968 CVE-2016-1970 CVE-2016-1971 CVE-2016-1973 CVE-2016-1975 CVE-2016-1976 CVE-2016-2806 krb5: CVE-2015-8630 (Vulnerability introduced in package version 1.12 which is not part of UCS 3/4.x) bind9: CVE-2015-8705 (Only a series of later versions) php-horde: CVE-2016-2228 (Vulnerable code not present in UCS 3.x) wireshark: CVE-2015-8711 CVE-2015-8712 CVE-2015-8713 CVE-2015-8715 CVE-2015-8717 CVE-2015-8719 CVE-2015-8722 CVE-2015-8726 CVE-2015-8730 CVE-2015-8732 CVE-2015-8733 (Vulnerable code not present in UCS 3.x-4.1) putty: CVE-2016-2563 samba: CVE-2016-0771 (UCS doesn't run the internal DNS implementation) xen: (CVE-2015-8615 / XSA-169) [Only 4.6] bind9: CVE-2015-8705 CVE-2016-2088 [Only 9.10.x] pcre3: CVE-2016-1283 [Only 8.38] CVE-2014-9769 CVE-2015-8380 CVE-2015-8381 CVE-2015-8383 CVE-2015-8384 CVE-2015-8386 CVE-2015-8389 CVE-2015-8392 CVE-2015-8395 CVE-2016-1283 (Vulnerable code not present) postgresql: CVE-2016-2193 CVE-2016-3065 (Only 9.5.x) linux: CVE-2016-2085 (EVM not enabled) php5: CVE-2016-3185 (Only php7.0) squid3: CVE-2016-4553 (issue introduced by CVE-2009-0801 fix, not applied in wheezy) lcms2: CVE-2013-7455 (vulnerable code not present, no cmsPipelineFree(Lut); in Error:-part) openssh: CVE-2016-1907 (Vulnerable code not present; Introduced in OpenSSH 6.8) libarchive: CVE-2016-1541 (Vulnerable code not present)
linux: CVE-2016-4440 (4.5) CVE-2015-3288 CVE-2016-9777 (4.8) CVE-2012-6704 (UCS 3.2 only) nginx: CVE-2016-4450 (not-affected , introduced in 1.3.9) xen: CVE-2016-5242 / XSA-181 (ARM), CVE-2016-9377 CVE-2016-9378 CVE-2016-9384 CVE-2016-9385 (only 4.4), CVE-2016-9815,CVE-2016-9816,CVE-2016-9817,CVE-2016-9818 / XSA-201 (ARM) php5: CVE-2014-9652 out-of-bounds memory access (Eingetragen: 3.2, 4.0). dnsmasq: CVE-2015-8899 (Vulnerable code introduced later than UCS 4.1) eglibc: CVE-2015-5277 (Vulnerable code not present) CVE-2016-6323 (Vulnerable code not present) krb5: CVE-2016-3119 (MIT kadmind, not used in UCS) libimobiledevice: CVE-2016-5104 (Vulnerable code not present) ntp: CVE-2015-7975 CVE-2016-4956 CVE-2016-4957 libarchive: CVE-2015-8916 CVE-2015-8928 bind9: CVE-2016-2775 (Minor issue; lwresd not commonly used) libgd2: CVE-2015-8877 CVE-2016-5116 CVE-2016-6128 CVE-2016-6132 CVE-2016-6207 CVE-2016-6214 CVE-2016-7568 (Vulnerable code not present) openjdk-7: CVE-2016-3610 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2016-3511 (Installation component of Oracle Java doesn't apply to IcedTea/OpenJDK) CVE-2016-3503 (openjfx) CVE-2016-3485 (Windows-specific) curl: CVE-2016-5421 (introduced in 7.32.0) krb5: CVE-2016-3120 (MIT KDC not used in UCS) libimobiledevice: CVE-2016-5104 (Vulnerable code not present) php5: CVE-2015-8873 (Fixed in 5.4.44), CVE-2015-8876 (Fixed in 5.4.44), CVE-2015-8935 (Fixed in 5.4.38), CVE-2016-5114 (vulnerable code not present) libgd2: CVE-2016-6207 (Vulnerable code not present) CVE-2016-7568 libidn: CVE-2016-6262 (Vulnerable code not present) qemu/qemu-kvm: CVE-2016-6490 CVE-2016-6833 CVE-2016-6834 CVE-2016-6836 CVE-2016-6888 CVE-2016-7155 CVE-2016-7156 CVE-2016-7157 CVE-2016-7421 CVE-2016-7422 CVE-2016-7423 (Vulnerable code not present) bind9: CVE-2016-2775 (lwresd not enabled) gdk-bixbug: CVE-2016-6352 (Fails with ENOMEM, no crash) nginx: CVE-2016-1247 firefox: CVE-2016-5287 CVE-2016-5288 CVE-2016-5293 CVE-2016-5294 CVE-2016-5289 CVE-2016-5292 CVE-2016-9063 CVE-2016-9067 CVE-2016-9068 CVE-2016-9069 CVE-2016-9070 CVE-2016-9071 CVE-2016-9073 CVE-2016-9075 CVE-2016-9076 CVE-2016-9077 openssl: CVE-2016-7053 CVE-2016-7054 (only 1.1.0) wireshark: CVE-2016-9372 CVE-2016-9373 CVE-2016-9374 CVE-2016-9375 CVE-2016-9376 p7zip: CVE-2016-9372 dovecot: CVE-2016-8652 (Only affects 2.2.25 up) apt: CVE-2016-1252 (Issue introduced in apt >= 0.9.8)
shadow: CVE-2016-6252 ([wheezy] - shadow <not-affected> (Vulnerable code not present))
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
This issue has been filed against UCS 3.0. UCS 3.0 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.