Debian Linux

DATE	CVE	VULNERABILITY TITLE	RISK
2014-10-15	CVE-2014-3566	Cryptographic Issues vulnerability in multiple products The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. network high complexity redhat ibm apple mageia novell opensuse fedoraproject openssl netbsd debian oracle CWE-310	3.4
2014-10-10	CVE-2014-5270	Information Exposure vulnerability in multiple products Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576. local low complexity gnupg debian CWE-200	2.1
2014-10-07	CVE-2014-7204	Resource Management Errors vulnerability in multiple products jscript.c in Exuberant Ctags 5.8 allows remote attackers to cause a denial of service (infinite loop and CPU and disk consumption) via a crafted JavaScript file. network low complexity canonical debian mageia CWE-399	5.0
2014-10-06	CVE-2014-6054	Numeric Errors vulnerability in multiple products The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier allows remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2) SetScale message. network libvncserver debian canonical CWE-189	4.3
2014-10-02	CVE-2014-7155	Permissions, Privileges, and Access Controls vulnerability in multiple products The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction. low complexity xen debian fedoraproject opensuse CWE-264	5.8
2014-10-02	CVE-2014-7154	Race Condition vulnerability in multiple products Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors. low complexity fedoraproject debian xen opensuse CWE-362	6.1
2014-09-30	CVE-2014-6055	Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message. network low complexity fedoraproject debian redhat libvncserver CWE-119	6.5
2014-09-30	CVE-2014-6051	Numeric Errors vulnerability in multiple products Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer overflow. network low complexity redhat fedoraproject libvncserver debian oracle CWE-189	7.5
2014-09-25	CVE-2014-7169	OS Command Injection vulnerability in multiple products GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. network low complexity gnu arista oracle qnap mageia redhat suse opensuse debian ibm canonical novell checkpoint f5 citrix apple vmware CWE-78 critical	9.8
2014-09-24	CVE-2014-6271	OS Command Injection vulnerability in multiple products GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. network low complexity gnu arista oracle qnap mageia redhat suse opensuse debian ibm canonical novell checkpoint f5 citrix apple vmware CWE-78 critical	9.8