[Secure-testing-commits] r46620 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Mon Nov 28 21:10:35 UTC 2016
Author: sectracker
Date: 2016-11-28 21:10:35 +0000 (Mon, 28 Nov 2016)
New Revision: 46620
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-11-28 19:34:24 UTC (rev 46619)
+++ data/CVE/list 2016-11-28 21:10:35 UTC (rev 46620)
@@ -1,3 +1,11 @@
+CVE-2016-9643
+ RESERVED
+CVE-2016-9642
+ RESERVED
+CVE-2016-9641
+ RESERVED
+CVE-2016-9640
+ RESERVED
CVE-2017-0355
RESERVED
CVE-2017-0354
@@ -418,6 +426,7 @@
NOTE: The patch addressing CVE-2014-9911 is applied in 54.1 , but the
NOTE: first fixed package version uploaded to unstable is 55.1-3 .
CVE-2016-9639 [salt confidentiality issue]
+ RESERVED
- salt 2016.3.0+ds-1
NOTE: http://www.openwall.com/lists/oss-security/2016/11/25/2
CVE-2016-9636
@@ -527,7 +536,7 @@
[wheezy] - w3m <no-dsa> (Minor issue)
NOTE: https://github.com/tats/w3m/issues/32
CVE-2016-9621
- RESERVED
+ REJECTED
- w3m 0.5.3-30
[jessie] - w3m <no-dsa> (Minor issue)
[wheezy] - w3m <no-dsa> (Minor issue)
@@ -551,8 +560,7 @@
[wheezy] - jasper <no-dsa> (the fix is too invasive)
NOTE: https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c
NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
-CVE-2016-9555 [net/sctp: slab-out-of-bounds in sctp_sf_ootb]
- RESERVED
+CVE-2016-9555 (The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux ...)
- linux <unfixed>
NOTE: Fixed by: https://git.kernel.org/linus/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 (4.9-rc4)
CVE-2016-9481
@@ -925,26 +933,22 @@
NOTE: http://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
NOTE: Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=774533
NOTE: Fixed by: https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe
-CVE-2016-9452 [Denial of service via transliterate mechanism]
- RESERVED
+CVE-2016-9452 (The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote ...)
- drupal8 <itp> (bug #756305)
- drupal7 <not-affected> (Only affects Drupal 8)
NOTE: https://www.drupal.org/SA-CORE-2016-005
NOTE: http://www.openwall.com/lists/oss-security/2016/11/18/8
-CVE-2016-9451 [Confirmation forms allow external URLs to be injected]
- RESERVED
+CVE-2016-9451 (Confirmation forms in Drupal 7.x before 7.52 make it easier for remote ...)
{DSA-3718-1 DLA-715-1}
- drupal7 7.52-1
NOTE: https://www.drupal.org/SA-CORE-2016-005
NOTE: http://www.openwall.com/lists/oss-security/2016/11/18/8
-CVE-2016-9450 [Incorrect cache context on password reset page]
- RESERVED
+CVE-2016-9450 (The user password reset form in Drupal 8.x before 8.2.3 allows remote ...)
- drupal8 <itp> (bug #756305)
- drupal7 <not-affected> (Only affects Drupal 8)
NOTE: https://www.drupal.org/SA-CORE-2016-005
NOTE: http://www.openwall.com/lists/oss-security/2016/11/18/8
-CVE-2016-9449 [Inconsistent name for term access query]
- RESERVED
+CVE-2016-9449 (The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 ...)
{DSA-3718-1 DLA-715-1}
- drupal8 <itp> (bug #756305)
- drupal7 7.52-1
@@ -1239,8 +1243,8 @@
RESERVED
CVE-2016-9314
RESERVED
-CVE-2016-9313
- RESERVED
+CVE-2016-9313 (security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles ...)
+ TODO: check
CVE-2016-9312
RESERVED
- ntp <not-affected> (Only ntpd on Windows)
@@ -1636,8 +1640,7 @@
- terminology 0.7.0-2 (bug #843434)
NOTE: https://git.enlightenment.org/apps/terminology.git/commit/?id=b80bedc7c21ecffe99d8d142930db696eebdd6a5
NOTE: http://www.openwall.com/lists/oss-security/2016/11/04/12
-CVE-2016-9191 [local DoS with cgroup offline code]
- RESERVED
+CVE-2016-9191 (The cgroup offline implementation in the Linux kernel through 4.8.11 ...)
- linux <unfixed>
CVE-2016-9190 (Pillow before 3.3.2 allows context-dependent attackers to execute ...)
{DSA-3710-1 DLA-705-1}
@@ -1733,8 +1736,7 @@
NOT-FOR-US: git-fastclone
CVE-2015-8968 (git-fastclone before 1.0.1 permits arbitrary shell command execution ...)
NOT-FOR-US: git-fastclone
-CVE-2015-8970 [crypto: GPF in lrw_crypt caused by null-deref]
- RESERVED
+CVE-2015-8970 (crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not ...)
- linux 4.4.2-1
[jessie] - linux 3.16.7-ckt25-1
[wheezy] - linux 3.2.78-1
@@ -1753,7 +1755,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/11/03/4
NOTE: Slight mitigation and documentation improvement was done in 2.8.9dev.10 upstream
NOTE: the uplaod to unstable as 2.8.9dev10-1
-CVE-2016-9644 [privilege escalation in exception table handling]
+CVE-2016-9644 (The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the ...)
- linux <not-affected> (Vulnerable code not present)
NOTE: No incorrect backport of CVE-2016-9178 done in Debian
NOTE: This is only an issue if 1c109fabbd51863475cd12ac206bdd249aee35af
@@ -1762,8 +1764,7 @@
NOTE: src:linux was never affected. 1c109fabbd5 also wasn't backported to
NOTE: the 3.2 and 3.16 LTS series
NOTE: http://www.openwall.com/lists/oss-security/2016/11/03/2
-CVE-2016-9178 [information leak]
- RESERVED
+CVE-2016-9178 (The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the ...)
- linux 4.7.5-1
[jessie] - linux <no-dsa> (Minor issue)
[wheezy] - linux <no-dsa> (Minor issue)
@@ -2141,14 +2142,12 @@
NOTE: For libwebp only in examples, but other projects seem to use the gifdec.c
NOTE: Origin of the file seems to be from libav
TODO: check: 0.5.1-3 claims the upload fixed CVE-2016-8888 and CVE-2016-9085 but the taken patch looks different, needs investigation
-CVE-2016-9084 [... "kzalloc is changed to a kcalloc."]
- RESERVED
+CVE-2016-9084 (drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 ...)
- linux <unfixed>
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: https://patchwork.kernel.org/patch/9373631/
NOTE: Fixed by: https://git.kernel.org/linus/05692d7005a364add85c6e25a6c4447ce08f913a (v4.9-rc4)
-CVE-2016-9083 [state machine confusion bug]
- RESERVED
+CVE-2016-9083 (drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows ...)
- linux <unfixed>
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: https://patchwork.kernel.org/patch/9373631/
@@ -3206,8 +3205,7 @@
RESERVED
CVE-2016-8651
RESERVED
-CVE-2016-8650 [Null pointer dereference via keyctl]
- RESERVED
+CVE-2016-8650 (The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through ...)
- linux <unfixed>
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
NOTE: http://seclists.org/fulldisclosure/2016/Nov/76
@@ -3229,15 +3227,13 @@
RESERVED
- ansible <unfixed> (bug #844691)
NOTE: https://github.com/ansible/ansible-modules-core/pull/5388
-CVE-2016-8646 [oops in shash_async_export()]
- RESERVED
+CVE-2016-8646 (The hash_accept function in crypto/algif_hash.c in the Linux kernel ...)
- linux 4.4.2-1
[jessie] - linux 3.16.7-ckt25-1
[wheezy] - linux 3.2.78-1
NOTE: https://lkml.org/lkml/2016/10/12/198
NOTE: Fixed by: https://git.kernel.org/linus/4afa5f9617927453ac04b24b584f6c718dfb4f45 (v4.4-rc2)
-CVE-2016-8645
- RESERVED
+CVE-2016-8645 (The TCP stack in the Linux kernel before 4.8.10 mishandles skb ...)
- linux <unfixed>
NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ac6e780070e30e4c35bd395acfe9191e6268bdd3
CVE-2016-8644
@@ -3288,13 +3284,11 @@
RESERVED
- foreman <itp> (bug #663101)
NOTE: http://projects.theforeman.org/issues/17195
-CVE-2016-8633
- RESERVED
+CVE-2016-8633 (drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain ...)
- linux 4.8.7-1
NOTE: https://git.kernel.org/linus/667121ace9dbafb368618dbabcf07901c962ddac
NOTE: https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/
-CVE-2016-8632 [tipc_msg_build() doesn't validate MTU that can trigger heap overflow]
- RESERVED
+CVE-2016-8632 (The tipc_msg_build function in net/tipc/msg.c in the Linux kernel ...)
- linux <unfixed>
[jessie] - linux <not-affected> (Vulnerable code introduced in 3.17-rc1)
[wheezy] - linux <not-affected> (Vulnerable code introduced in 3.17-rc1)
@@ -3302,8 +3296,7 @@
CVE-2016-8631
RESERVED
NOT-FOR-US: OpenShift Enterprise
-CVE-2016-8630
- RESERVED
+CVE-2016-8630 (The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux ...)
- linux 4.8.7-1
[jessie] - linux <not-affected> (Vulnerable code introduced later)
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
@@ -9133,122 +9126,121 @@
RESERVED
CVE-2016-6755
RESERVED
-CVE-2016-6754
- RESERVED
-CVE-2016-6753
- RESERVED
-CVE-2016-6752
- RESERVED
-CVE-2016-6751
- RESERVED
-CVE-2016-6750
- RESERVED
-CVE-2016-6749
- RESERVED
-CVE-2016-6748
- RESERVED
-CVE-2016-6747
- RESERVED
-CVE-2016-6746
- RESERVED
-CVE-2016-6745
- RESERVED
-CVE-2016-6744
- RESERVED
-CVE-2016-6743
- RESERVED
-CVE-2016-6742
- RESERVED
-CVE-2016-6741
- RESERVED
-CVE-2016-6740
- RESERVED
-CVE-2016-6739
- RESERVED
-CVE-2016-6738
- RESERVED
-CVE-2016-6737
- RESERVED
-CVE-2016-6736
- RESERVED
-CVE-2016-6735
- RESERVED
-CVE-2016-6734
- RESERVED
-CVE-2016-6733
- RESERVED
-CVE-2016-6732
- RESERVED
-CVE-2016-6731
- RESERVED
-CVE-2016-6730
- RESERVED
-CVE-2016-6729
- RESERVED
-CVE-2016-6728
- RESERVED
+CVE-2016-6754 (A remote code execution vulnerability in Webview in Android 5.0.x ...)
+ TODO: check
+CVE-2016-6753 (An information disclosure vulnerability in kernel components, ...)
+ TODO: check
+CVE-2016-6752 (An information disclosure vulnerability in Qualcomm components ...)
+ TODO: check
+CVE-2016-6751 (An information disclosure vulnerability in Qualcomm components ...)
+ TODO: check
+CVE-2016-6750 (An information disclosure vulnerability in Qualcomm components ...)
+ TODO: check
+CVE-2016-6749 (An information disclosure vulnerability in Qualcomm components ...)
+ TODO: check
+CVE-2016-6748 (An information disclosure vulnerability in Qualcomm components ...)
+ TODO: check
+CVE-2016-6747 (A denial of service vulnerability in Mediaserver in Android before ...)
+ TODO: check
+CVE-2016-6746 (An information disclosure vulnerability in the NVIDIA GPU driver in ...)
+ TODO: check
+CVE-2016-6745 (An elevation of privilege vulnerability in the Synaptics touchscreen ...)
+ TODO: check
+CVE-2016-6744 (An elevation of privilege vulnerability in the Synaptics touchscreen ...)
+ TODO: check
+CVE-2016-6743 (An elevation of privilege vulnerability in the Synaptics touchscreen ...)
+ TODO: check
+CVE-2016-6742 (An elevation of privilege vulnerability in the Synaptics touchscreen ...)
+ TODO: check
+CVE-2016-6741 (An elevation of privilege vulnerability in the Qualcomm camera driver ...)
+ TODO: check
+CVE-2016-6740 (An elevation of privilege vulnerability in the Qualcomm camera driver ...)
+ TODO: check
+CVE-2016-6739 (An elevation of privilege vulnerability in the Qualcomm camera driver ...)
+ TODO: check
+CVE-2016-6738 (An elevation of privilege vulnerability in the Qualcomm crypto engine ...)
+ TODO: check
+CVE-2016-6737 (An elevation of privilege vulnerability in the kernel ION subsystem in ...)
+ TODO: check
+CVE-2016-6736 (An elevation of privilege vulnerability in the NVIDIA GPU driver in ...)
+ TODO: check
+CVE-2016-6735 (An elevation of privilege vulnerability in the NVIDIA GPU driver in ...)
+ TODO: check
+CVE-2016-6734 (An elevation of privilege vulnerability in the NVIDIA GPU driver in ...)
+ TODO: check
+CVE-2016-6733 (An elevation of privilege vulnerability in the NVIDIA GPU driver in ...)
+ TODO: check
+CVE-2016-6732 (An elevation of privilege vulnerability in the NVIDIA GPU driver in ...)
+ TODO: check
+CVE-2016-6731 (An elevation of privilege vulnerability in the NVIDIA GPU driver in ...)
+ TODO: check
+CVE-2016-6730 (An elevation of privilege vulnerability in the NVIDIA GPU driver in ...)
+ TODO: check
+CVE-2016-6729 (An elevation of privilege vulnerability in the Qualcomm bootloader in ...)
+ TODO: check
+CVE-2016-6728 (An elevation of privilege vulnerability in the kernel ION subsystem in ...)
NOT-FOR-US: Rowhammer hardware vulnerability on Android devices
NOTE: https://www.vusec.net/projects/drammer/
CVE-2016-6727
RESERVED
CVE-2016-6726
RESERVED
-CVE-2016-6725
- RESERVED
-CVE-2016-6724
- RESERVED
-CVE-2016-6723
- RESERVED
+CVE-2016-6725 (A remote code execution vulnerability in the Qualcomm crypto driver in ...)
+ TODO: check
+CVE-2016-6724 (A denial of service vulnerability in the Input Manager Service in ...)
+ TODO: check
+CVE-2016-6723 (A denial of service vulnerability in Proxy Auto Config in Android 4.x ...)
+ TODO: check
CVE-2016-6722
RESERVED
-CVE-2016-6721
- RESERVED
+CVE-2016-6721 (An information disclosure vulnerability in Mediaserver in Android 6.x ...)
+ TODO: check
CVE-2016-6720
RESERVED
-CVE-2016-6719
- RESERVED
-CVE-2016-6718
- RESERVED
-CVE-2016-6717
- RESERVED
-CVE-2016-6716
- RESERVED
-CVE-2016-6715
- RESERVED
-CVE-2016-6714
- RESERVED
-CVE-2016-6713
- RESERVED
+CVE-2016-6719 (An elevation of privilege vulnerability in the Bluetooth component in ...)
+ TODO: check
+CVE-2016-6718 (An elevation of privilege vulnerability in the Account Manager Service ...)
+ TODO: check
+CVE-2016-6717 (An elevation of privilege vulnerability in Mediaserver in Android 4.x ...)
+ TODO: check
+CVE-2016-6716 (An elevation of privilege vulnerability in the AOSP Launcher in ...)
+ TODO: check
+CVE-2016-6715 (An elevation of privilege vulnerability in the Framework APIs in ...)
+ TODO: check
+CVE-2016-6714 (A remote denial of service vulnerability in Mediaserver in Android 6.x ...)
+ TODO: check
+CVE-2016-6713 (A remote denial of service vulnerability in Mediaserver in Android 6.x ...)
+ TODO: check
CVE-2016-6712
RESERVED
CVE-2016-6711
RESERVED
-CVE-2016-6710
- RESERVED
-CVE-2016-6709
- RESERVED
-CVE-2016-6708
- RESERVED
-CVE-2016-6707
- RESERVED
+CVE-2016-6710 (An information disclosure vulnerability in the download manager in ...)
+ TODO: check
+CVE-2016-6709 (An information disclosure vulnerability in Conscrypt and BoringSSL in ...)
+ TODO: check
+CVE-2016-6708 (An elevation of privilege in the System UI in Android 7.0 before ...)
+ TODO: check
+CVE-2016-6707 (An elevation of privilege vulnerability in System Server in Android ...)
+ TODO: check
CVE-2016-6706
RESERVED
-CVE-2016-6705
- RESERVED
-CVE-2016-6704
- RESERVED
-CVE-2016-6703
- RESERVED
-CVE-2016-6702
- RESERVED
-CVE-2016-6701
- RESERVED
-CVE-2016-6700
- RESERVED
+CVE-2016-6705 (An elevation of privilege vulnerability in Mediaserver in Android ...)
+ TODO: check
+CVE-2016-6704 (An elevation of privilege vulnerability in Mediaserver in Android 4.x ...)
+ TODO: check
+CVE-2016-6703 (A remote code execution vulnerability in an Android runtime library in ...)
+ TODO: check
+CVE-2016-6702 (A remote code execution vulnerability in libjpeg in Android 4.x before ...)
+ TODO: check
+CVE-2016-6701 (A remote code execution vulnerability in libskia in Android 7.0 before ...)
+ TODO: check
+CVE-2016-6700 (An elevation of privilege vulnerability in libzipfile in Android 4.x ...)
+ TODO: check
CVE-2016-6699
RESERVED
-CVE-2016-6698
- RESERVED
+CVE-2016-6698 (An information disclosure vulnerability in Qualcomm components ...)
+ TODO: check
CVE-2016-6697
RESERVED
CVE-2016-6696 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 ...)
@@ -19259,7 +19251,7 @@
CVE-2016-3920 (id3/ID3.cpp in libstagefright in mediaserver in Android 5.0.x before ...)
TODO: check
CVE-2016-3919
- RESERVED
+ REJECTED
CVE-2016-3918 (email/provider/AttachmentProvider.java in AOSP Mail in Android 4.x ...)
TODO: check
CVE-2016-3917 (The fingerprint login feature in Android 6.0.1 before 2016-10-01 and ...)
@@ -19282,14 +19274,14 @@
TODO: check
CVE-2016-3908 (The Lock Settings Service in Android 6.x before 2016-10-01 and 7.0 ...)
TODO: check
-CVE-2016-3907
- RESERVED
-CVE-2016-3906
- RESERVED
+CVE-2016-3907 (An information disclosure vulnerability in Qualcomm components ...)
+ TODO: check
+CVE-2016-3906 (An information disclosure vulnerability in Qualcomm components ...)
+ TODO: check
CVE-2016-3905 (CORE/HDD/src/wlan_hdd_main.c in the Qualcomm Wi-Fi driver in Android ...)
TODO: check
-CVE-2016-3904
- RESERVED
+CVE-2016-3904 (An elevation of privilege vulnerability in the Qualcomm bus driver in ...)
+ TODO: check
CVE-2016-3903 (drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c in the ...)
TODO: check
CVE-2016-3902 (drivers/platform/msm/ipa/ipa_qmi_service.c in the Qualcomm IPA driver ...)
@@ -21761,14 +21753,14 @@
RESERVED
CVE-2016-2930
RESERVED
-CVE-2016-2929
- RESERVED
-CVE-2016-2928
- RESERVED
-CVE-2016-2927
- RESERVED
-CVE-2016-2926
- RESERVED
+CVE-2016-2929 (IBM BigFix Remote Control before 9.1.3 does not properly restrict ...)
+ TODO: check
+CVE-2016-2928 (IBM BigFix Remote Control before 9.1.3 allows remote authenticated ...)
+ TODO: check
+CVE-2016-2927 (IBM BigFix Remote Control before 9.1.3 does not properly restrict the ...)
+ TODO: check
+CVE-2016-2926 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...)
+ TODO: check
CVE-2016-2925 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal ...)
TODO: check
CVE-2016-2924
@@ -31286,14 +31278,14 @@
TODO: check
CVE-2016-0320
RESERVED
-CVE-2016-0319
- RESERVED
-CVE-2016-0318
- RESERVED
-CVE-2016-0317
- RESERVED
-CVE-2016-0316
- RESERVED
+CVE-2016-0319 (The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting ...)
+ TODO: check
+CVE-2016-0318 (Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and ...)
+ TODO: check
+CVE-2016-0317 (Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and ...)
+ TODO: check
+CVE-2016-0316 (Cross-site scripting (XSS) vulnerability in Lifecycle Query Engine ...)
+ TODO: check
CVE-2016-0315 (The Report Builder and Data Collection Component (DCC) in IBM Jazz ...)
TODO: check
CVE-2016-0314 (The Report Builder and Data Collection Component (DCC) in IBM Jazz ...)
@@ -53280,8 +53272,7 @@
- unattended-upgrades 0.86.1
CVE-2015-1329
RESERVED
-CVE-2015-1328 [incorrect permission checks in overlayfs, ubuntu local root]
- RESERVED
+CVE-2015-1328 (The overlayfs implementation in the linux (aka Linux kernel) package ...)
- linux <not-affected> (Ubuntu-specific flaw, overlayfs mounts restricted to privileged users in Debian)
- linux-2.6 <not-affected> (Ubuntu-specific flaw, overlayfs mounts restricted to privileged users in Debian)
NOTE: http://seclists.org/oss-sec/2015/q2/717
More information about the Secure-testing-commits
mailing list