[Secure-testing-commits] r47394 - data/CVE

security tracker role sectracker at moszumanska.debian.org
Fri Dec 23 21:10:12 UTC 2016 

Author: sectracker
Date: 2016-12-23 21:10:12 +0000 (Fri, 23 Dec 2016)
New Revision: 47394

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-12-23 20:58:46 UTC (rev 47393)
+++ data/CVE/list	2016-12-23 21:10:12 UTC (rev 47394)
@@ -1,3 +1,11 @@
+CVE-2016-10033
+	RESERVED
+CVE-2016-10032
+	RESERVED
+CVE-2016-10031
+	RESERVED
+CVE-2016-10030
+	RESERVED
 CVE-2017-3894
 	RESERVED
 CVE-2017-3893
@@ -211,6 +219,7 @@
 CVE-2016-5103
 	REJECTED
 CVE-2016-10027
+	RESERVED
 	- libsmack-java <itp> (bug #640873)
 CVE-2016-10023
 	RESERVED
@@ -249,6 +258,7 @@
 	- xen 4.8.0-1
 	NOTE: https://xenbits.xen.org/xsa/advisory-202.html
 CVE-2016-10028 [display: virtio-gpu-3d: OOB access while reading virgl capabilities]
+	RESERVED
 	- qemu <unfixed>
 	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
@@ -256,6 +266,7 @@
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/1
 CVE-2016-10029 [display: virtio-gpu: out of bounds read in virtio_gpu_set_scanout]
+	RESERVED
 	- qemu 1:2.7+dfsg-1
 	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
@@ -1835,8 +1846,8 @@
 	RESERVED
 CVE-2016-9890
 	RESERVED
-CVE-2016-9889
-	RESERVED
+CVE-2016-9889 (Some forms with the parameter geo_zoomlevel_to_found_location in Tiki ...)
+	TODO: check
 CVE-2016-9888 (An error within the "tar_directory_for_file()" function ...)
 	{DLA-740-1}
 	- libgsf 1.14.41-1
@@ -8650,8 +8661,7 @@
 	NOT-FOR-US: SAP
 CVE-2016-9562 (SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of ...)
 	NOT-FOR-US: SAP
-CVE-2016-9561
-	RESERVED
+CVE-2016-9561 (The che_configure function in libavcodec/aacdec_template.c in FFmpeg ...)
 	- ffmpeg <unfixed> (unimportant)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/08/1
 	NOTE: non-issue, legitimate media file. If a server application uses libav* on untrusted media
@@ -10243,8 +10253,8 @@
 	TODO: check
 CVE-2016-9155 (The following SIEMENS branded IP Camera Models CCMW3025, CVMW3025-IR, ...)
 	NOT-FOR-US: Siemens
-CVE-2016-9154
-	RESERVED
+CVE-2016-9154 (Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo ...)
+	TODO: check
 CVE-2016-9153
 	RESERVED
 CVE-2016-9152 (Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in ...)
@@ -10275,8 +10285,7 @@
 	NOTE: Followed by a complete set of related upstrema commits. See kernel-sec
 	NOTE: triage for details.
 	NOTE: http://www.openwall.com/lists/oss-security/2016/11/03/6
-CVE-2016-9179 [invalid URL parsing with '?']
-	RESERVED
+CVE-2016-9179 (lynx: It was found that Lynx doesn't parse the authority component of ...)
 	{DLA-719-1}
 	- lynx 2.8.9dev11-1 (bug #843258)
 	- lynx-cur <removed>
@@ -10311,8 +10320,7 @@
 	RESERVED
 CVE-2016-9141
 	RESERVED
-CVE-2016-9181 [Image-Info: XXE in SVG files]
-	RESERVED
+CVE-2016-9181 (perl-Image-Info: When parsing an SVG file, external entity expansion ...)
 	- libimage-info-perl 1.39-1 (bug #842891)
 	[jessie] - libimage-info-perl <no-dsa> (Minor issue)
 	[wheezy] - libimage-info-perl <no-dsa> (Minor issue)
@@ -10326,8 +10334,7 @@
 	NOTE: so as a workaround the underlying SAX parser is fixed to
 	NOTE: XML::SAX::PurePerl which is uncapable of processing external entities
 	NOTE: but unfortunately it is also a slow parser.
-CVE-2016-9180 [XML-Twig: expand_external_ents fails to work as documented]
-	RESERVED
+CVE-2016-9180 (perl-XML-Twig: The option to `expand_external_ents`, documented as ...)
 	- libxml-twig-perl <unfixed> (bug #842893)
 	[jessie] - libxml-twig-perl <no-dsa> (Minor issue; can be fixed via point release)
 	NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=118097
@@ -10568,7 +10575,7 @@
 	- firefox-esr <not-affected> (Does not affect Firefox 45 ESR release)
 CVE-2016-9074 [existing mitigation of timing side-channel attacks insufficient]
 	RESERVED
-	{DSA-3730-1 DSA-3716-1 DLA-752-1}
+	{DSA-3730-1 DSA-3716-1 DLA-759-1 DLA-752-1}
 	- nss 2:3.26.2-1
 	[jessie] - nss <no-dsa> (Minor issue, can be fixed in point release or future DSA)
 	NOTE: Fixed by (3_26_BRANCH): https://hg.mozilla.org/projects/nss/rev/d38536fcc726 (3.26.1)
@@ -12075,8 +12082,7 @@
 CVE-2016-8596 (Buffer overflow in the csp_can_process_frame in csp_if_can.c in the ...)
 	- libcsp <unfixed> (bug #843012)
 	NOTE: https://github.com/GomSpace/libcsp/pull/81/commits/4435fbed4090ff3cd090a61517430fe8a3924cd8
-CVE-2016-8595
-	RESERVED
+CVE-2016-8595 (The gsm_parse function in libavcodec/gsm_parser.c in FFmpeg before ...)
 	- ffmpeg 7:3.1.5-1
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/08/2
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/987690799dd86433bf98b897aaa4c8d93ade646d
@@ -14438,8 +14444,7 @@
 	RESERVED
 CVE-2016-7955
 	RESERVED
-CVE-2016-7954 [code execution via gem name collission in bundler]
-	RESERVED
+CVE-2016-7954 (Bundler 1.x might allow remote attackers to inject arbitrary Ruby code ...)
 	- bundler <unfixed> (bug #842504)
 	[jessie] - bundler <no-dsa> (Minor issue, too intrusive to backport)
 	[wheezy] - bundler <no-dsa> (Minor issue, too intrusive to backport)
@@ -14620,8 +14625,7 @@
 	[wheezy] - imagemagick <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/281
 	NOTE: https://github.com/ImageMagick/ImageMagick/commit/d63a3c5729df59f183e9e110d5d8385d17caaad0
-CVE-2016-7905
-	RESERVED
+CVE-2016-7905 (The read_gab2_sub function in libavformat/avidec.c in FFmpeg before ...)
 	- ffmpeg 7:3.1.4-1 (bug #840434)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/622ccbd8ab894e3ac6cdf607e3d4f39e406786e9 (n3.1.4)
 CVE-2016-7904
@@ -14915,8 +14919,7 @@
 	TODO: need investigation for kde-runtime, the kdesu.cpp is present, compiled, but not clear if just affected but (unimportant).
 CVE-2016-7786
 	RESERVED
-CVE-2016-7785
-	RESERVED
+CVE-2016-7785 (The avi_read_seek function in libavformat/avidec.c in FFmpeg before ...)
 	- ffmpeg 7:3.1.4-1 (bug #840434)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c8c5f66b42edc37474baa5cb51460cbf6f33075b (n3.1.4)
 CVE-2016-7784
@@ -15384,8 +15387,7 @@
 CVE-2016-7563
 	RESERVED
 	NOT-FOR-US: MuJS
-CVE-2016-7562
-	RESERVED
+CVE-2016-7562 (The ff_draw_pc_font function in libavcodec/cga_data.c in FFmpeg before ...)
 	- ffmpeg 7:3.1.4-1 (bug #840434)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/496267f8e9ec218351e4359e1fde48722d4fc804 (n3.1.4)
 CVE-2016-7561 (Fortinet FortiWLC 6.1-2-29 and earlier, 7.0-9-1, 7.0-10-0, 8.0-5-0, ...)
@@ -15400,8 +15402,7 @@
 	RESERVED
 CVE-2016-7556
 	RESERVED
-CVE-2016-7555
-	RESERVED
+CVE-2016-7555 (The avi_read_header function in libavformat/avidec.c in FFmpeg before ...)
 	- ffmpeg 7:3.1.4-1 (bug #840434)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/8834e080c20d3d23c3ffe779371359f9b9b835ec (n3.1.4)
 CVE-2016-7554
@@ -15486,8 +15487,7 @@
 	NOT-FOR-US: MuJS
 CVE-2016-7503
 	RESERVED
-CVE-2016-7502
-	RESERVED
+CVE-2016-7502 (The cavs_idct8_add_c function in libavcodec/cavsdsp.c in FFmpeg before ...)
 	- ffmpeg 7:3.1.4-1 (bug #840434)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9d738e6968757d4e70c8e07e0b720ac0004accc4 (n3.1.4)
 CVE-2016-7501
@@ -15598,8 +15598,7 @@
 	NOT-FOR-US: Exponent CMS
 CVE-2016-7451
 	RESERVED
-CVE-2016-7450
-	RESERVED
+CVE-2016-7450 (The ff_log2_16bit_c function in libavutil/intmath.h in FFmpeg before ...)
 	- ffmpeg 7:3.1.4-1 (bug #840434)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ac8ac46641adef208485baebc3734463bf0bd266 (n3.1.4)
 CVE-2016-7449 [all TIFF related problems due to use of strlcpy use]
@@ -16522,8 +16521,7 @@
 	- moin 1.9.9-1 (bug #844340)
 	NOTE: Fixed by: http://hg.moinmo.in/moin/1.9/rev/1563d6db198c
 	NOTE: https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html
-CVE-2016-7122
-	RESERVED
+CVE-2016-7122 (The avi_read_nikon function in libavformat/avidec.c in FFmpeg before ...)
 	- ffmpeg 7:3.1.4-1 (bug #840434)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ed38046c5c2e3b310980be32287179895c83e0d8 (n3.1.4)
 CVE-2016-7121
@@ -16840,8 +16838,7 @@
 	NOTE: http://marc.info/?l=linux-fsdevel&m=147162313630259&w=2
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1368938
 	NOTE: Fixed by: https://git.kernel.org/linus/073931017b49d9458aa351605b43a7e34598caef
-CVE-2016-7091
-	RESERVED
+CVE-2016-7091 (sudo: It was discovered that the default sudo configuration on Red Hat ...)
 	- sudo <not-affected> (Debian not including INPUTRC in /etc/sudoers)
 	NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1339935
 	NOTE: The scope of this CVE is the entire 'INPUTRC should
@@ -17287,8 +17284,8 @@
 	NOT-FOR-US: OSSIM
 CVE-2016-6912
 	RESERVED
-CVE-2016-6910
-	RESERVED
+CVE-2016-6910 (The non-existent notification listener vulnerability was introduced in ...)
+	TODO: check
 CVE-2016-6909 (Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before ...)
 	NOT-FOR-US: Fortinet
 CVE-2016-6908
@@ -17328,8 +17325,7 @@
 	NOTE: https://www.kb.cert.org/vuls/id/396440
 CVE-2016-6889
 	RESERVED
-CVE-2016-6881 [ffmpeg endless loop when dealing with craft swf]
-	RESERVED
+CVE-2016-6881 (The zlib_refill function in libavformat/swfdec.c in FFmpeg before ...)
 	- ffmpeg 7:3.1.3-1 (unimportant)
 	- libav <undetermined> (unimportant)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/09/26/6
@@ -17988,8 +17984,7 @@
 	NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg02108.html
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1366369
 	NOTE: http://www.openwall.com/lists/oss-security/2016/08/11/5
-CVE-2016-6671 [buffer overflow when decoding swf]
-	RESERVED
+CVE-2016-6671 (The raw_decode function in libavcodec/rawdec.c in FFmpeg before 3.1.2 ...)
 	- ffmpeg 7:3.1.2-1
 CVE-2016-6670 (Huawei S7700, S9300, S9700, and S12700 devices with software before ...)
 	NOT-FOR-US: Huawei
@@ -18052,8 +18047,8 @@
 	RESERVED
 CVE-2016-6660
 	RESERVED
-CVE-2016-6659
-	RESERVED
+CVE-2016-6659 (Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, ...)
+	TODO: check
 CVE-2016-6658
 	RESERVED
 CVE-2016-6657 (An open redirect vulnerability has been detected with some Pivotal ...)
@@ -24071,7 +24066,7 @@
 	- chromium-browser 52.0.2743.82-1
 	[wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy)
 CVE-2016-5131 (Use-after-free vulnerability in libxml2 through 2.9.4, as used in ...)
-	{DSA-3637-1 DLA-691-1}
+	{DSA-3744-1 DSA-3637-1 DLA-691-1}
 	- chromium-browser 52.0.2743.82-1
 	[wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy)
 	- libxml2 2.9.4+dfsg1-2.1 (bug #840554)
@@ -25623,7 +25618,7 @@
 CVE-2016-4659
 	RESERVED
 CVE-2016-4658 (libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and ...)
-	{DLA-691-1}
+	{DSA-3744-1 DLA-691-1}
 	- libxml2 2.9.4+dfsg1-2.1 (bug #840553)
 	NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
 CVE-2016-4657 (WebKit in Apple iOS before 9.3.5 allows remote attackers to execute ...)
@@ -94829,8 +94824,7 @@
 	[wheezy] - ikiwiki-hosting <no-dsa> (Minor XSS)
 CVE-2013-6046
 	RESERVED
-CVE-2016-9675 [Incorrect fix for CVE-2013-6045]
-	RESERVED
+CVE-2016-9675 (openjpeg: A heap-based buffer overflow flaw was found in the patch for ...)
 	- openjpeg 1.5.2-1
 	[wheezy] - openjpeg 1.3+dfsg-4.8
 	[squeeze] - openjpeg 1.3+dfsg-4+squeeze3

More information about the Secure-testing-commits mailing list