[Secure-testing-commits] r40828 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Fri Apr 8 21:10:14 UTC 2016
Author: sectracker
Date: 2016-04-08 21:10:14 +0000 (Fri, 08 Apr 2016)
New Revision: 40828
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-04-08 19:55:29 UTC (rev 40827)
+++ data/CVE/list 2016-04-08 21:10:14 UTC (rev 40828)
@@ -1,3 +1,19 @@
+CVE-2016-3976 (Directory traversal vulnerability in SAP NetWeaver AS Java 7.4 allows ...)
+ TODO: check
+CVE-2016-3975 (Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.4 ...)
+ TODO: check
+CVE-2016-3974 (XML external entity (XXE) vulnerability in the Configuration Wizard in ...)
+ TODO: check
+CVE-2016-3973 (The chat feature in the Real-Time Collaboration (RTC) services in SAP ...)
+ TODO: check
+CVE-2016-3972
+ RESERVED
+CVE-2016-3971
+ RESERVED
+CVE-2016-3970
+ RESERVED
+CVE-2015-8840 (The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does ...)
+ TODO: check
CVE-2016-XXXX [exploitable integer overflow in _imlib_SaveImage]
- imlib2 1.4.7-1 (bug #820206)
NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=143f299
@@ -17,12 +33,15 @@
CVE-2016-7921
REJECTED
CVE-2016-3982 [optipng: heap buffer overflow pngxrbmp.c bmp_rle4_fread]
+ {DSA-3546-1}
- optipng <unfixed>
NOTE: https://sourceforge.net/p/optipng/bugs/57/
CVE-2016-3981 [optipng: heap buffer overflow pngxrbmp.c bmp_read_rows]
+ {DSA-3546-1}
- optipng <unfixed>
NOTE: https://sourceforge.net/p/optipng/bugs/56/
CVE-2016-3977 [gif2rgb: heap buffer overflow]
+ RESERVED
- giflib <unfixed>
NOTE: https://sourceforge.net/p/giflib/bugs/87/
NOTE: https://sourceforge.net/p/giflib/code/ci/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88/
@@ -99,8 +118,7 @@
[wheezy] - imlib2 <no-dsa> (Minor issue)
CVE-2012-XXXX [Option -localhost seems to fail to restrict ipv6 access]
- x11vnc <unfixed> (bug #672435)
-CVE-2016-3948 [Denial of service]
- RESERVED
+CVE-2016-3948 (Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds ...)
- squid3 3.5.16-1 (bug #819784)
[jessie] - squid3 <no-dsa> (Minor issue; needs substantial backporting; too intrusive to backport)
[wheezy] - squid3 <no-dsa> (Minor issue; needs substantial backporting; too intrusive to backport)
@@ -108,8 +126,7 @@
NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch
NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
TODO: check src:squid, possibly as wel not-affected since CVE-2016-2569 was as well
-CVE-2016-3947 [buffer overrun in Squid proxy 'pinger']
- RESERVED
+CVE-2016-3947 (Heap-based buffer overflow in the Icmp6::Recv function in ...)
- squid3 3.5.16-1 (bug #819783)
[jessie] - squid3 <no-dsa> (Minor issue)
[wheezy] - squid3 <no-dsa> (Minor issue)
@@ -2602,8 +2619,7 @@
RESERVED
CVE-2016-2852
RESERVED
-CVE-2016-2851
- RESERVED
+CVE-2016-2851 (Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms ...)
{DSA-3512-1}
- libotr 4.1.1-1 (bug #817799)
NOTE: https://lists.cypherpunks.ca/pipermail/otr-announce/2016-March/000062.html
@@ -2669,8 +2685,7 @@
- tidy-html5 <itp> (bug #770129)
NOTE: https://github.com/htacg/tidy-html5/issues/380
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/03/04/2
-CVE-2016-2858 [rng-random: arbitrary stack based allocation leading to corruption]
- RESERVED
+CVE-2016-2858 (QEMU, when built with the Pseudo Random Number Generator (PRNG) ...)
- qemu <unfixed> (bug #817183)
[jessie] - qemu <no-dsa> (Minor issue)
[wheezy] - qemu <not-affected> (Vulnerable code not present)
@@ -2901,8 +2916,8 @@
- icedove 38.7.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/
- graphite2 1.3.6-1
-CVE-2016-2789
- RESERVED
+CVE-2016-2789 (Cross-site scripting (XSS) vulnerability in the Web User Interface in ...)
+ TODO: check
CVE-2015-8829
RESERVED
CVE-2015-8828
@@ -3448,8 +3463,7 @@
RESERVED
CVE-2016-2564
RESERVED
-CVE-2016-2563 [old-style scp downloads may allow remote code execution]
- RESERVED
+CVE-2016-2563 (Stack-based buffer overflow in the SCP command-line utility in PuTTY ...)
- putty 0.67-1 (bug #816921)
[wheezy] - putty <no-dsa> (Minor issue)
[jessie] - putty <no-dsa> (Minor issue)
@@ -3853,8 +3867,7 @@
CVE-2016-2515
RESERVED
NOT-FOR-US: NodeJS Hawk
-CVE-2016-2511 [Reflected Cross-Site Scripting]
- RESERVED
+CVE-2016-2511 (Cross-site scripting (XSS) vulnerability in WebSVN 2.3.3 and earlier ...)
{DSA-3490-1 DLA-428-1}
- websvn <removed>
CVE-2016-2509 (The password-sync feature on Belden Hirschmann Classic Platform ...)
@@ -4076,8 +4089,7 @@
- didiwiki 0.5-12 (bug #815111)
NOTE: https://github.com/OpenedHand/didiwiki/pull/1/files
NOTE: http://www.openwall.com/lists/oss-security/2016/02/19/4
-CVE-2016-2510 [remote code execution vulnerability]
- RESERVED
+CVE-2016-2510 (BeanShell (bsh) before 2.0b6, when included on the classpath by an ...)
{DSA-3504-1 DLA-443-1}
- bsh 2.0b4-16
NOTE: https://github.com/beanshell/beanshell/releases/tag/2.0b6
@@ -4742,8 +4754,7 @@
NOTE: Just for cross-compiling, not used for actual packages
NOTE: http://repo.or.cz/uclibc-ng.git/commit/bb01edff0377f2585ce304ecbadcb7b6cde372ac
NOTE: http://www.openwall.com/lists/oss-security/2016/02/05/2
-CVE-2016-2216
- RESERVED
+CVE-2016-2216 (The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 ...)
- nodejs 4.3.0~dfsg-1 (unimportant)
NOTE: libv8 is not covered by security support
NOTE: https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
@@ -5122,8 +5133,7 @@
- foreman <itp> (bug #663101)
CVE-2016-2099
RESERVED
-CVE-2016-2098 [Possible remote code execution vulnerability in Action Pack]
- RESERVED
+CVE-2016-2098 (Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and ...)
{DSA-3509-1}
- rails 2:4.2.5.2-1
[wheezy] - rails <not-affected> (Vulnerable code not present, is only a transitional package)
@@ -5133,8 +5143,7 @@
[wheezy] - ruby-actionpack-2.3 <end-of-life>
NOTE: Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x
NOTE: Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2
-CVE-2016-2097
- RESERVED
+CVE-2016-2097 (Directory traversal vulnerability in Action View in Ruby on Rails ...)
{DSA-3509-1}
- rails 2:4.2.5.2-1
[wheezy] - rails <not-affected> (Vulnerable code not present, is only a transitional package)
@@ -5304,8 +5313,7 @@
NOTE: https://kb.isc.org/article/AA-01351
CVE-2016-2087
RESERVED
-CVE-2016-2086
- RESERVED
+CVE-2016-2086 (Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before ...)
- nodejs 4.3.0~dfsg-1 (unimportant)
NOTE: libv8 is not covered by security support
NOTE: https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
@@ -7037,8 +7045,7 @@
NOT-FOR-US: SAP Afaria
CVE-2015-8752
RESERVED
-CVE-2016-1714 [nvram: OOB r/w access in processing firmware configurations]
- RESERVED
+CVE-2016-1714 (The (1) fw_cfg_write and (2) fw_cfg_read functions in ...)
{DSA-3471-1 DSA-3470-1 DSA-3469-1}
- qemu 1:2.5+dfsg-4
[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
@@ -7148,8 +7155,7 @@
RESERVED
CVE-2016-1532
RESERVED
-CVE-2016-1531 [privilege escalation]
- RESERVED
+CVE-2016-1531 (Exim before 4.86.2, when installed setuid root, allows local users to ...)
{DSA-3517-1}
- exim4 4.86.2-1
NOTE: https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html
@@ -8501,12 +8507,12 @@
RESERVED
CVE-2015-8682
RESERVED
-CVE-2015-8681
- RESERVED
-CVE-2015-8680
- RESERVED
-CVE-2015-8679
- RESERVED
+CVE-2015-8681 (The ovisp driver in Huawei P8 smartphones with software GRA-TL00 ...)
+ TODO: check
+CVE-2015-8680 (The Graphics driver in Huawei P8 smartphones with software GRA-TL00 ...)
+ TODO: check
+CVE-2015-8679 (The (1) ION and (2) Maxim_smartpa_dev drivers in Huawei P8 smartphones ...)
+ TODO: check
CVE-2015-8678
RESERVED
CVE-2015-8677
@@ -9568,24 +9574,19 @@
NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2016-0794/
CVE-2016-0793 (Incomplete blacklist vulnerability in the servlet filter restriction ...)
TODO: check
-CVE-2016-0792
- RESERVED
+CVE-2016-0792 (Multiple unspecified API endpoints in CloudBees Jenkins before 1.650 ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
-CVE-2016-0791
- RESERVED
+CVE-2016-0791 (CloudBees Jenkins before 1.650 and LTS before 1.642.2 do not use a ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
-CVE-2016-0790
- RESERVED
+CVE-2016-0790 (CloudBees Jenkins before 1.650 and LTS before 1.642.2 do not use a ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
-CVE-2016-0789
- RESERVED
+CVE-2016-0789 (CRLF injection vulnerability in the CLI command documentation in ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
-CVE-2016-0788
- RESERVED
+CVE-2016-0788 (The remoting module in CloudBees Jenkins before 1.650 and LTS before ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
CVE-2016-0787 [Weak Diffie-Hellman secret generation in libssh2 before 1.7.0]
@@ -9803,8 +9804,7 @@
CVE-2016-0735
RESERVED
NOT-FOR-US: Apache Ranger
-CVE-2016-0734 [Clickjacking]
- RESERVED
+CVE-2016-0734 (The web-based administration console in Apache ActiveMQ 5.x before ...)
- activemq <not-affected> (Admin console not enabled in the Debian package, see #702670)
NOTE: https://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt
CVE-2016-0733
@@ -9816,8 +9816,7 @@
RESERVED
CVE-2016-0730
RESERVED
-CVE-2016-0729 [Apache Xerces-C XML Parser Crashes on Malformed Input]
- RESERVED
+CVE-2016-0729 (Multiple buffer overflows in (1) internal/XMLReader.cpp, (2) ...)
{DSA-3493-1 DLA-433-1}
- xerces-c 3.1.3+debian-1 (bug #815907)
NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt
@@ -12393,10 +12392,10 @@
NOTE: https://blog.fuzzing-project.org/29-Heap-Overflow-in-PCRE.html
CVE-2015-8321
RESERVED
-CVE-2015-8319
- RESERVED
-CVE-2015-8318
- RESERVED
+CVE-2015-8319 (Heap-based buffer overflow in the HIFI driver in Huawei P8 smartphones ...)
+ TODO: check
+CVE-2015-8318 (Heap-based buffer overflow in the HIFI driver in Huawei P8 smartphones ...)
+ TODO: check
CVE-2015-8315
RESERVED
CVE-2015-8314
@@ -12416,12 +12415,12 @@
RESERVED
CVE-2015-8309
RESERVED
-CVE-2015-8307
- RESERVED
+CVE-2015-8307 (The Graphics driver in Huawei P8 smartphones with software GRA-TL00 ...)
+ TODO: check
CVE-2015-8306 (Buffer overflow in the HIFI driver in Huawei P8 phones with software ...)
NOT-FOR-US: Huawei
-CVE-2015-8305
- RESERVED
+CVE-2015-8305 (Huawei Sophia-L10 smartphones with software before P7-L10C900B852 ...)
+ TODO: check
CVE-2015-8304
RESERVED
CVE-2015-8303 (Huawei Document Security Management (DSM) with software before ...)
@@ -28488,8 +28487,7 @@
NOT-FOR-US: Websense TRITON
CVE-2010-5323 (Directory traversal vulnerability in UploadServlet in the Remote ...)
NOT-FOR-US: Novell ZENworks Configuration Management
-CVE-2015-2774 [Erlang POODLE TLS vulnerability]
- RESERVED
+CVE-2015-2774 (Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes ...)
- erlang 1:17.3-dfsg-4 (low; bug #781839)
[squeeze] - erlang <no-dsa> (Minor issue)
[wheezy] - erlang <no-dsa> (Minor issue)
@@ -39881,7 +39879,7 @@
RESERVED
CVE-2014-8619 (Cross-site scripting (XSS) vulnerability in the autolearn ...)
NOT-FOR-US: Fortinet FortiWeb
-CVE-2014-8618 (Cross-site scripting (XSS) vulnerability in theme login page in ...)
+CVE-2014-8618 (Cross-site scripting (XSS) vulnerability in the theme login page in ...)
NOT-FOR-US: Fortinet FortiADC
CVE-2014-8617 (Cross-site scripting (XSS) vulnerability in the Web Action Quarantine ...)
NOT-FOR-US: FortiMail
@@ -66403,7 +66401,7 @@
NOT-FOR-US: Yealink VoIP Phone
CVE-2013-5756 (Directory traversal vulnerability in Yealink VoIP Phone SIP-T38G ...)
NOT-FOR-US: Yealink VoIP Phone
-CVE-2013-5755 (config/.htpasswd in Yealink IP Phone SIP-T38G have a hardcoded ...)
+CVE-2013-5755 (config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password ...)
NOT-FOR-US: Yealink IP Phone
CVE-2013-5754 (The authorization implementation on Dahua DVR appliances accepts a ...)
NOT-FOR-US: Dahua DVR
More information about the Secure-testing-commits
mailing list