[Secure-testing-commits] r41870 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Wed May 18 21:10:12 UTC 2016
Author: sectracker
Date: 2016-05-18 21:10:12 +0000 (Wed, 18 May 2016)
New Revision: 41870
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-05-18 20:02:19 UTC (rev 41869)
+++ data/CVE/list 2016-05-18 21:10:12 UTC (rev 41870)
@@ -1,3 +1,205 @@
+CVE-2016-4910
+ RESERVED
+CVE-2016-4909
+ RESERVED
+CVE-2016-4908
+ RESERVED
+CVE-2016-4907
+ RESERVED
+CVE-2016-4906
+ RESERVED
+CVE-2016-4905
+ RESERVED
+CVE-2016-4904
+ RESERVED
+CVE-2016-4903
+ RESERVED
+CVE-2016-4902
+ RESERVED
+CVE-2016-4901
+ RESERVED
+CVE-2016-4900
+ RESERVED
+CVE-2016-4899
+ RESERVED
+CVE-2016-4898
+ RESERVED
+CVE-2016-4897
+ RESERVED
+CVE-2016-4896
+ RESERVED
+CVE-2016-4895
+ RESERVED
+CVE-2016-4894
+ RESERVED
+CVE-2016-4893
+ RESERVED
+CVE-2016-4892
+ RESERVED
+CVE-2016-4891
+ RESERVED
+CVE-2016-4890
+ RESERVED
+CVE-2016-4889
+ RESERVED
+CVE-2016-4888
+ RESERVED
+CVE-2016-4887
+ RESERVED
+CVE-2016-4886
+ RESERVED
+CVE-2016-4885
+ RESERVED
+CVE-2016-4884
+ RESERVED
+CVE-2016-4883
+ RESERVED
+CVE-2016-4882
+ RESERVED
+CVE-2016-4881
+ RESERVED
+CVE-2016-4880
+ RESERVED
+CVE-2016-4879
+ RESERVED
+CVE-2016-4878
+ RESERVED
+CVE-2016-4877
+ RESERVED
+CVE-2016-4876
+ RESERVED
+CVE-2016-4875
+ RESERVED
+CVE-2016-4874
+ RESERVED
+CVE-2016-4873
+ RESERVED
+CVE-2016-4872
+ RESERVED
+CVE-2016-4871
+ RESERVED
+CVE-2016-4870
+ RESERVED
+CVE-2016-4869
+ RESERVED
+CVE-2016-4868
+ RESERVED
+CVE-2016-4867
+ RESERVED
+CVE-2016-4866
+ RESERVED
+CVE-2016-4865
+ RESERVED
+CVE-2016-4864
+ RESERVED
+CVE-2016-4863
+ RESERVED
+CVE-2016-4862
+ RESERVED
+CVE-2016-4861
+ RESERVED
+CVE-2016-4860
+ RESERVED
+CVE-2016-4859
+ RESERVED
+CVE-2016-4858
+ RESERVED
+CVE-2016-4857
+ RESERVED
+CVE-2016-4856
+ RESERVED
+CVE-2016-4855
+ RESERVED
+CVE-2016-4854
+ RESERVED
+CVE-2016-4853
+ RESERVED
+CVE-2016-4852
+ RESERVED
+CVE-2016-4851
+ RESERVED
+CVE-2016-4850
+ RESERVED
+CVE-2016-4849
+ RESERVED
+CVE-2016-4848
+ RESERVED
+CVE-2016-4847
+ RESERVED
+CVE-2016-4846
+ RESERVED
+CVE-2016-4845
+ RESERVED
+CVE-2016-4844
+ RESERVED
+CVE-2016-4843
+ RESERVED
+CVE-2016-4842
+ RESERVED
+CVE-2016-4841
+ RESERVED
+CVE-2016-4840
+ RESERVED
+CVE-2016-4839
+ RESERVED
+CVE-2016-4838
+ RESERVED
+CVE-2016-4837
+ RESERVED
+CVE-2016-4836
+ RESERVED
+CVE-2016-4835
+ RESERVED
+CVE-2016-4834
+ RESERVED
+CVE-2016-4833
+ RESERVED
+CVE-2016-4832
+ RESERVED
+CVE-2016-4831
+ RESERVED
+CVE-2016-4830
+ RESERVED
+CVE-2016-4829
+ RESERVED
+CVE-2016-4828
+ RESERVED
+CVE-2016-4827
+ RESERVED
+CVE-2016-4826
+ RESERVED
+CVE-2016-4825
+ RESERVED
+CVE-2016-4824
+ RESERVED
+CVE-2016-4823
+ RESERVED
+CVE-2016-4822
+ RESERVED
+CVE-2016-4821
+ RESERVED
+CVE-2016-4820
+ RESERVED
+CVE-2016-4819
+ RESERVED
+CVE-2016-4818
+ RESERVED
+CVE-2016-4817
+ RESERVED
+CVE-2016-4816
+ RESERVED
+CVE-2016-4815
+ RESERVED
+CVE-2016-4814
+ RESERVED
+CVE-2016-4813
+ RESERVED
+CVE-2016-4812
+ RESERVED
+CVE-2016-4811
+ RESERVED
+CVE-2016-4810
+ RESERVED
CVE-2016-4913 [information leak in Rock Ridge Extensions to iso9660]
- linux 4.5.4-1
NOTE: Fixed by: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6 (v4.6)
@@ -7,6 +209,7 @@
NOTE: isn't checked.
TODO: double-check
CVE-2016-4911 [Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass]
+ RESERVED
- keystone <unfixed> (bug #824683)
[jessie] - keystone <not-affected> (affects only 9.0.0)
[wheezy] - keystone <not-affected> (affects only 9.0.0)
@@ -1229,8 +1432,7 @@
- atheme-services 7.0.7-2
NOTE: https://github.com/atheme/atheme/commit/87580d767868360d2fed503980129504da84b63e
NOTE: http://www.openwall.com/lists/oss-security/2016/05/02/2
-CVE-2016-4425 [stack exhaustion parsing a JSON file]
- RESERVED
+CVE-2016-4425 (Jansson 2.7 and earlier allows context-dependent attackers to cause a ...)
{DSA-3577-1 DLA-471-1}
- jansson 2.7-5 (bug #823238)
NOTE: https://github.com/akheron/jansson/issues/282
@@ -2919,32 +3121,25 @@
CVE-2016-3728
RESERVED
- foreman <itp> (bug #663101)
-CVE-2016-3727
- RESERVED
+CVE-2016-3727 (The API URL computer/(master)/api/xml in CloudBees Jenkins before 2.3 ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
-CVE-2016-3726
- RESERVED
+CVE-2016-3726 (Multiple open redirect vulnerabilities in CloudBees Jenkins before 2.3 ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
-CVE-2016-3725
- RESERVED
+CVE-2016-3725 (CloudBees Jenkins before 2.3 and LTS before 1.651.2 allows remote ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
-CVE-2016-3724
- RESERVED
+CVE-2016-3724 (CloudBees Jenkins before 2.3 and LTS before 1.651.2 allow remote ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
-CVE-2016-3723
- RESERVED
+CVE-2016-3723 (CloudBees Jenkins before 2.3 and LTS before 1.651.2 allow remote ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
-CVE-2016-3722
- RESERVED
+CVE-2016-3722 (CloudBees Jenkins before 2.3 and LTS before 1.651.2 allow remote ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
-CVE-2016-3721
- RESERVED
+CVE-2016-3721 (CloudBees Jenkins before 2.3 and LTS before 1.651.2 might allow remote ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
CVE-2016-3720 [XmlMapper is vulnerable to XXE attack]
@@ -2952,7 +3147,7 @@
- jackson-dataformat-xml 2.7.4-1 (bug #823703)
NOTE: https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0 (2.7.4)
CVE-2016-3719
- RESERVED
+ REJECTED
CVE-2016-3718 (The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x ...)
{DSA-3580-1}
- imagemagick <unfixed>
@@ -3033,8 +3228,7 @@
[jessie] - glibc <no-dsa> (Minor issue, can be fixed via point release)
- eglibc <removed>
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20010
-CVE-2016-3705
- RESERVED
+CVE-2016-3705 (The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions ...)
- libxml2 <unfixed> (bug #823414)
CVE-2016-3704
RESERVED
@@ -3132,8 +3326,7 @@
NOTE: Upstream fix: http://vcs.pcre.org/pcre?view=revision&revision=1475 (8.36)
NOTE: Introduced in: http://vcs.pcre.org/pcre?view=revision&revision=1434 (8.35)
NOTE: http://www.openwall.com/lists/oss-security/2016/03/26/1
-CVE-2016-3674 [XXE vulnerability]
- RESERVED
+CVE-2016-3674 (Multiple XML external entity (XXE) vulnerabilities in the (1) ...)
{DSA-3575-1}
- libxstream-java 1.4.9-1 (bug #819455)
NOTE: http://x-stream.github.io/changes.html#1.4.9
@@ -3333,8 +3526,7 @@
- libjpeg9 <unfixed> (bug #819969)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1319661
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1318509
-CVE-2016-3627 [stack exhaustion in libxml2 parsing xml files in recover mode]
- RESERVED
+CVE-2016-3627 (The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and ...)
- libxml2 <unfixed> (bug #819006)
NOTE: http://www.openwall.com/lists/oss-security/2016/03/21/3
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=762100
@@ -6028,6 +6220,7 @@
- phpmyadmin 4:4.5.5.1-1
[wheezy] - phpmyadmin <not-affected>
CVE-2016-2560 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...)
+ {DLA-481-1}
- phpmyadmin 4:4.5.5.1-1 (low)
NOTE: 7ddce5e39a4e12cd351732955394bc7055c280eb: file not present, vulnerability not found in wheezy
NOTE: 0667ea8ac7519d7e642eade2686dc393d5faeae3: vulnerability present in 3.4.3.1, but code mysteriously not found in wheezy
@@ -7472,7 +7665,7 @@
RESERVED
- moodle 2.7.13+dfsg-1
CVE-2016-2189
- RESERVED
+ REJECTED
NOTE: Will be rejected, duplicate of CVE-2016-4565
CVE-2016-2188 (The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the ...)
- linux <unfixed>
@@ -8108,6 +8301,7 @@
CVE-2016-2046 (Cross-site scripting (XSS) vulnerability in the UserPortal page in ...)
NOT-FOR-US: SOPHOS
CVE-2016-2045 (Cross-site scripting (XSS) vulnerability in the SQL editor in ...)
+ {DLA-481-1}
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin <not-affected> (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-9/
@@ -8132,23 +8326,25 @@
NOTE: introduced as part of the CVE-2016-2039 fix
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-6/
CVE-2016-2041 (libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x ...)
- {DLA-406-1}
+ {DLA-481-1 DLA-406-1}
- phpmyadmin 4:4.5.4-1
NOTE: squeeze patch backport trivial to wheezy
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-5/
NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/fe62b69a5b032de8e1d9d0a04456c1cecf46428c
CVE-2016-2040 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...)
+ {DLA-481-1}
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin <no-dsa> (minor issue)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-3/
CVE-2016-2039 (libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x ...)
- {DLA-406-1}
+ {DLA-481-1 DLA-406-1}
- phpmyadmin 4:4.5.4-1
NOTE: squeeze patch was actually incorrect and probably not functional: libraries/phpseclib/Crypt/Random.php needs some engine (e.g. AES) to work
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-2/
NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6fe54dfa000dd6f43f237e859781fad7111ac1bd is not sufficient: one needs 29b297f to import more bits from phpseclib or simply import all of phpseclib.
NOTE: such a fix needs to avoid introducing a new vulnerability as well, upstream introduced CVE-2016-2042 as part of this
CVE-2016-2038 (phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x ...)
+ {DLA-481-1}
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin <no-dsa> (minor issue)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-1/
@@ -8321,7 +8517,7 @@
CVE-2016-1980
RESERVED
CVE-2016-1979 (Use-after-free vulnerability in the ...)
- {DSA-3576-1 DLA-472-1}
+ {DSA-3576-1 DLA-480-1 DLA-472-1}
- iceweasel <removed>
- firefox-esr 45.0esr-1
- firefox 45.0-1
@@ -8332,6 +8528,7 @@
- nss 2:3.21-1
TODO: check if really fixed already in 3.21 upstream or only in 3.21.1
CVE-2016-1978 (Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange ...)
+ {DLA-480-1}
- iceweasel 44.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 43.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 43.x)
@@ -8500,7 +8697,7 @@
CVE-2016-1951
RESERVED
CVE-2016-1950 (Heap-based buffer overflow in Mozilla Network Security Services (NSS) ...)
- {DSA-3520-1 DSA-3510-1}
+ {DSA-3520-1 DSA-3510-1 DLA-480-1}
- iceweasel <removed>
- firefox-esr 45.0esr-1
- firefox 45.0-1
@@ -8568,7 +8765,7 @@
[squeeze] - iceweasel <not-affected> (Only affects Firefox 43.x)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-04/
CVE-2016-1938 (The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network ...)
- {DLA-427-1}
+ {DLA-480-1 DLA-427-1}
- iceweasel 44.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 43.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 43.x)
@@ -8625,6 +8822,7 @@
CVE-2016-1928 (Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows ...)
NOT-FOR-US: SAP
CVE-2016-1927 (The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x ...)
+ {DLA-481-1}
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin <no-dsa> (minor issue)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-4/
@@ -13883,8 +14081,8 @@
RESERVED
CVE-2016-0324
RESERVED
-CVE-2016-0323
- RESERVED
+CVE-2016-0323 (The Auto-Scaling agent in Liberty for Java in IBM Bluemix before ...)
+ TODO: check
CVE-2016-0322
RESERVED
CVE-2016-0321
@@ -13917,8 +14115,8 @@
RESERVED
CVE-2016-0307
RESERVED
-CVE-2016-0306
- RESERVED
+CVE-2016-0306 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before ...)
+ TODO: check
CVE-2016-0305
RESERVED
CVE-2016-0304
@@ -17445,6 +17643,7 @@
NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6ddca835100107e6b5841ce9d56074f6d98c387e
NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and build-depends on external gdk-pixbuf
CVE-2015-8875 [Integer overlows in pixops_* functions]
+ RESERVED
{DLA-450-1}
- gdk-pixbuf 2.34.0-1
NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dbfe8f70471864818bf458a39c8a99640895bd22 (2.33.1)
@@ -18726,7 +18925,7 @@
NOTE: Fixes impact macros PL_ARENA_ALLOCATE and PL_ARENA_GROW, other packages need to be recompiled:
NOTE: jss (on wheezy/jessie) according to codesearch.debian.net
CVE-2015-7182 (Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network ...)
- {DSA-3410-1 DSA-3393-1 DLA-354-1}
+ {DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1}
- nss 2:3.20.1-1
NOTE: http://hg.mozilla.org/projects/nss/rev/4dc247276e58
NOTE: http://hg.mozilla.org/projects/nss/rev/534aca7a5bca
@@ -18738,7 +18937,7 @@
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
NOTE: Patch for wheezy/jessie: https://lists.debian.org/debian-lts/2015/11/msg00098.html
CVE-2015-7181 (The sec_asn1d_parse_leaf function in Mozilla Network Security Services ...)
- {DSA-3410-1 DSA-3393-1 DLA-354-1}
+ {DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1}
- nss 2:3.20.1-1
NOTE: http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb
NOTE: http://hg.mozilla.org/projects/nss/rev/25cb033147fd
More information about the Secure-testing-commits
mailing list