[Secure-testing-commits] r45099 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Wed Oct 5 21:10:14 UTC 2016
Author: sectracker
Date: 2016-10-05 21:10:14 +0000 (Wed, 05 Oct 2016)
New Revision: 45099
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-10-05 21:00:28 UTC (rev 45098)
+++ data/CVE/list 2016-10-05 21:10:14 UTC (rev 45099)
@@ -1,4 +1,7 @@
+CVE-2016-1000245
+ RESERVED
CVE-2016-7979 [type confusion in .initialize_dsc_parser allows remote code execution]
+ RESERVED
- ghostscript <unfixed> (bug #839846)
NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697190
NOTE: Reproducer: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0
@@ -6,18 +9,21 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/7
NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/19
CVE-2016-7978 [reference leak in .setdevice allows use-after-free and remote code execution]
+ RESERVED
- ghostscript <unfixed> (bug #839845)
NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697179
NOTE: Reproducer: http://bugs.ghostscript.com/show_bug.cgi?id=697179#c0
NOTE: Patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;h=d5ad1e0298e1c193087c824eb4f79628b182e28b
NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/7
CVE-2016-7977 [.libfile doesn't check PermitFileReading array, allowing remote file disclosure]
+ RESERVED
- ghostscript <unfixed> (high; bug #839841)
NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697169
NOTE: Reproducer: http://www.openwall.com/lists/oss-security/2016/09/29/28
NOTE: Patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;h=cf046d2f0fa2c6973c6ca8d582a9b185cc4bd280
NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/7
CVE-2016-7976 [various userparams allow %pipe% in paths, allowing remote shell command execution]
+ RESERVED
- ghostscript <unfixed> (high; bug #839260)
NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697178
NOTE: Reproducer: http://www.openwall.com/lists/oss-security/2016/09/30/8
@@ -140,8 +146,8 @@
RESERVED
CVE-2016-8344
RESERVED
-CVE-2016-8343
- RESERVED
+CVE-2016-8343 (Directory traversal vulnerability in INDAS Web SCADA before 3 allows ...)
+ TODO: check
CVE-2016-8342
RESERVED
CVE-2016-8341
@@ -4933,10 +4939,10 @@
RESERVED
CVE-2016-6647 (Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 4.0.1 ...)
NOT-FOR-US: EMC
-CVE-2016-6646
- RESERVED
-CVE-2016-6645
- RESERVED
+CVE-2016-6646 (The vApp Managers web application in EMC Unisphere for VMAX Virtual ...)
+ TODO: check
+CVE-2016-6645 (The vApp Managers web application in EMC Unisphere for VMAX Virtual ...)
+ TODO: check
CVE-2016-6644 (EMC Documentum D2 4.5 before patch 15 and 4.6 before patch 03 allows ...)
NOT-FOR-US: EMC
CVE-2016-6643 (Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 3.7.2 ...)
@@ -5552,8 +5558,8 @@
RESERVED
CVE-2016-6551
RESERVED
-CVE-2016-6550
- RESERVED
+CVE-2016-6550 (The U by BB&T app 1.5.4 and earlier for iOS does not properly verify ...)
+ TODO: check
CVE-2016-6549
RESERVED
CVE-2016-6548
@@ -5953,10 +5959,10 @@
RESERVED
CVE-2016-6421
RESERVED
-CVE-2016-6420
- RESERVED
-CVE-2016-6419
- RESERVED
+CVE-2016-6420 (Cisco FireSIGHT System Software 4.10.3 through 5.4.0 in Firepower ...)
+ TODO: check
+CVE-2016-6419 (SQL injection vulnerability in Cisco Firepower Management Center ...)
+ TODO: check
CVE-2016-6418
RESERVED
CVE-2016-6417
@@ -7584,8 +7590,8 @@
RESERVED
CVE-2016-5984
RESERVED
-CVE-2016-5983
- RESERVED
+CVE-2016-5983 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before ...)
+ TODO: check
CVE-2016-5982
RESERVED
CVE-2016-5981
@@ -7748,8 +7754,8 @@
RESERVED
CVE-2016-5902
RESERVED
-CVE-2016-5901
- RESERVED
+CVE-2016-5901 (Cross-site scripting (XSS) vulnerability in a test page in IBM ...)
+ TODO: check
CVE-2016-5900
RESERVED
CVE-2016-5899
@@ -7766,8 +7772,8 @@
RESERVED
CVE-2016-5893
RESERVED
-CVE-2016-5892
- RESERVED
+CVE-2016-5892 (Cross-site scripting (XSS) vulnerability in IBM 10x, as used in ...)
+ TODO: check
CVE-2016-5891
RESERVED
CVE-2016-5890
@@ -8504,8 +8510,8 @@
RESERVED
CVE-2016-5692
RESERVED
-CVE-2016-5686
- RESERVED
+CVE-2016-5686 (Johnson & Johnson Animas OneTouch Ping devices mishandle ...)
+ TODO: check
CVE-2016-5685
RESERVED
CVE-2016-5684 [XMP Image Handling Code Execution Vulnerability]
@@ -10853,12 +10859,12 @@
RESERVED
CVE-2016-5087 (Alertus Desktop Notification before 2.9.31.1710 on OS X uses weak ...)
NOT-FOR-US: Alertus
-CVE-2016-5086
- RESERVED
-CVE-2016-5085
- RESERVED
-CVE-2016-5084
- RESERVED
+CVE-2016-5086 (Johnson & Johnson Animas OneTouch Ping devices allow remote attackers ...)
+ TODO: check
+CVE-2016-5085 (Johnson & Johnson Animas OneTouch Ping devices do not properly ...)
+ TODO: check
+CVE-2016-5084 (Johnson & Johnson Animas OneTouch Ping devices do not use encryption ...)
+ TODO: check
CVE-2016-5083
RESERVED
CVE-2016-5082
@@ -11058,7 +11064,7 @@
CVE-2016-4991
RESERVED
CVE-2016-4990
- RESERVED
+ REJECTED
NOTE: CVE should be rejected, not a security issue
CVE-2016-4989
RESERVED
@@ -11638,6 +11644,7 @@
RESERVED
CVE-2016-4861 [ZF2016-03]
RESERVED
+ {DLA-646-1}
- zendframework 1.12.20+dfsg-1
NOTE: http://framework.zend.com/security/advisory/ZF2016-03
NOTE: This security fix can be considered an improvement of the previous ZF2016-02
@@ -13109,14 +13116,14 @@
RESERVED
CVE-2016-4391
RESERVED
-CVE-2016-4390
- RESERVED
-CVE-2016-4389
- RESERVED
-CVE-2016-4388
- RESERVED
-CVE-2016-4387
- RESERVED
+CVE-2016-4390 (The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote ...)
+ TODO: check
+CVE-2016-4389 (The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote ...)
+ TODO: check
+CVE-2016-4388 (The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote ...)
+ TODO: check
+CVE-2016-4387 (The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote ...)
+ TODO: check
CVE-2016-4386 (HPE Network Automation Software 10.10 allows local users to write to ...)
TODO: check
CVE-2016-4385 (HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, ...)
@@ -15278,7 +15285,7 @@
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2549
NOTE: Upstream will remove thumbnail from 4.0.7 release
NOTE: No patch available. Issue marked as wontfix by upstream.
-CVE-2016-3631 (The (1) cpStrips and (2) cpTiles functions in the thumbmail tool in ...)
+CVE-2016-3631 (The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in ...)
- tiff <unfixed> (bug #820366)
[jessie] - tiff <no-dsa> (Minor issue)
[wheezy] - tiff <no-dsa> (Minor issue)
@@ -17392,7 +17399,7 @@
- firefox-esr 45.3.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/
CVE-2016-2836 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...)
- {DSA-3640-1 DLA-640-1 DLA-585-1}
+ {DSA-3686-1 DSA-3640-1 DLA-640-1 DLA-585-1}
- firefox 48.0-1
- firefox-esr 45.3.0esr-1
- icedove 1:45.3.0-1
@@ -17403,7 +17410,7 @@
- icedove <not-affected> (Doesn't apply to Thunderbird ESR)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/
CVE-2016-2834 (Mozilla Network Security Services (NSS) before 3.23, as used in ...)
- {DLA-527-1}
+ {DSA-3688-1 DLA-527-1}
- nss 2:3.23-1
- firefox-esr <not-affected> (Doesn't apply to Firefox ESR)
- firefox 47.0-1
@@ -17733,11 +17740,11 @@
CVE-2016-2777
REJECTED
CVE-2016-2776 (buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before ...)
- {DSA-3680-1}
+ {DSA-3680-1 DLA-645-1}
- bind9 <unfixed> (bug #839010)
NOTE: https://kb.isc.org/article/AA-01419
CVE-2016-2775 (ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x ...)
- {DSA-3680-1}
+ {DSA-3680-1 DLA-645-1}
- bind9 <unfixed> (bug #831796)
NOTE: https://kb.isc.org/article/AA-01393/74/CVE-2016-2775
CVE-2016-2774 (ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 ...)
@@ -19359,10 +19366,10 @@
NOT-FOR-US: GE Multilink devices
CVE-2016-2309 (iRZ RUH2 before 2b does not validate firmware patches, which allows ...)
NOT-FOR-US: iRZ RUH2
-CVE-2016-2308
- RESERVED
-CVE-2016-2307
- RESERVED
+CVE-2016-2308 (American Auto-Matrix Aspect-Nexus Building Automation Front-End ...)
+ TODO: check
+CVE-2016-2307 (American Auto-Matrix Aspect-Nexus Building Automation Front-End ...)
+ TODO: check
CVE-2016-2306 (The HMI web server in Ecava IntegraXor before 5.0 build 4522 allows ...)
NOT-FOR-US: Ecava IntegraXor
CVE-2016-2305 (Cross-site scripting (XSS) vulnerability in Ecava IntegraXor before ...)
@@ -20656,7 +20663,7 @@
CVE-2016-1980
RESERVED
CVE-2016-1979 (Use-after-free vulnerability in the ...)
- {DSA-3576-1 DLA-480-1 DLA-472-1}
+ {DSA-3688-1 DSA-3576-1 DLA-480-1 DLA-472-1}
- iceweasel <removed>
- firefox-esr 45.0esr-1
- firefox 45.0-1
@@ -20667,7 +20674,7 @@
- nss 2:3.21-1
TODO: check if really fixed already in 3.21 upstream or only in 3.21.1
CVE-2016-1978 (Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange ...)
- {DLA-480-1}
+ {DSA-3688-1 DLA-480-1}
- iceweasel 44.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 43.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 43.x)
@@ -20834,7 +20841,7 @@
- firefox 45.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/
CVE-2016-1951 (Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable ...)
- {DLA-513-1}
+ {DSA-3687-1 DLA-513-1}
- firefox-esr 45.0esr-1
- firefox 45.0-1
- nspr 2:4.12-1
@@ -20843,7 +20850,7 @@
NOTE: https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/dV4MyMsg6jw
NOTE: Upstream commit: https://hg.mozilla.org/projects/nspr/rev/96381e3aaae2
CVE-2016-1950 (Heap-based buffer overflow in Mozilla Network Security Services (NSS) ...)
- {DSA-3520-1 DSA-3510-1 DLA-480-1}
+ {DSA-3688-1 DSA-3520-1 DSA-3510-1 DLA-480-1}
- iceweasel <removed>
- firefox-esr 45.0esr-1
- firefox 45.0-1
@@ -20911,7 +20918,7 @@
[squeeze] - iceweasel <not-affected> (Only affects Firefox 43.x)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-04/
CVE-2016-1938 (The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network ...)
- {DLA-480-1 DLA-427-1}
+ {DSA-3688-1 DLA-480-1 DLA-427-1}
- iceweasel 44.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 43.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 43.x)
@@ -24503,8 +24510,8 @@
NOT-FOR-US: EMC RSA Authentication Manager
CVE-2016-0914 (EMC Documentum WebTop 6.8 before Patch 13 and 6.8.1 before Patch 02, ...)
NOT-FOR-US: EMC Documentum WebTop and WebTop Clients
-CVE-2016-0913
- RESERVED
+CVE-2016-0913 (The client in EMC Replication Manager (RM) before ...)
+ TODO: check
CVE-2016-0912 (EMC Data Domain OS 5.4 through 5.7 before 5.7.2.0 allows remote ...)
NOT-FOR-US: EMC Data Domain OS
CVE-2016-0911 (EMC Data Domain OS 5.4 through 5.7 before 5.7.2.0 has a default ...)
@@ -30102,7 +30109,7 @@
[wheezy] - ruby-activesupport-2.3 <end-of-life>
NOTE: https://github.com/rails/rails/commit/a6fa3960c3a149e83eb2ff057be4472a82958e3d
CVE-2015-7575 (Mozilla Network Security Services (NSS) before 3.20.2, as used in ...)
- {DSA-3491-1 DSA-3465-1 DSA-3458-1 DSA-3457-1 DSA-3437-1 DSA-3436-1 DLA-410-1}
+ {DSA-3688-1 DSA-3491-1 DSA-3465-1 DSA-3458-1 DSA-3457-1 DSA-3437-1 DSA-3436-1 DLA-410-1}
- iceweasel 43.0.2-1
[squeeze] - iceweasel <end-of-life>
- icedove 38.6.0-1
@@ -31277,7 +31284,7 @@
NOTE: Fixes impact macros PL_ARENA_ALLOCATE and PL_ARENA_GROW, other packages need to be recompiled:
NOTE: jss (on wheezy/jessie) according to codesearch.debian.net
CVE-2015-7182 (Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network ...)
- {DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1}
+ {DSA-3688-1 DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1}
- nss 2:3.20.1-1
NOTE: http://hg.mozilla.org/projects/nss/rev/4dc247276e58
NOTE: http://hg.mozilla.org/projects/nss/rev/534aca7a5bca
@@ -31289,7 +31296,7 @@
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
NOTE: Patch for wheezy/jessie: https://lists.debian.org/debian-lts/2015/11/msg00098.html
CVE-2015-7181 (The sec_asn1d_parse_leaf function in Mozilla Network Security Services ...)
- {DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1}
+ {DSA-3688-1 DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1}
- nss 2:3.20.1-1
NOTE: http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb
NOTE: http://hg.mozilla.org/projects/nss/rev/25cb033147fd
@@ -40088,7 +40095,7 @@
NOTE: https://lkml.org/lkml/2015/5/13/744
NOTE: Not enabled in Debian kernels; staging drivers are not supported
CVE-2015-4000 (The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is ...)
- {DSA-3339-1 DSA-3324-1 DSA-3316-1 DSA-3300-1 DSA-3287-1 DLA-507-1 DLA-303-1 DLA-247-1}
+ {DSA-3688-1 DSA-3339-1 DSA-3324-1 DSA-3316-1 DSA-3300-1 DSA-3287-1 DLA-507-1 DLA-303-1 DLA-247-1}
- openssl 1.0.2b-1
- nss 2:3.19.1-1
[squeeze] - nss <no-dsa> (no point in switching min key size so close to EOL)
@@ -63228,10 +63235,10 @@
NOT-FOR-US: Meinberg NTP Server firmware on LANTIME M-Series devices
CVE-2014-5416
RESERVED
-CVE-2014-5415
- RESERVED
-CVE-2014-5414
- RESERVED
+CVE-2014-5415 (Beckhoff Embedded PC images before 2014-10-22 and Automation Device ...)
+ TODO: check
+CVE-2014-5414 (Beckhoff Embedded PC images before 2014-10-22 and Automation Device ...)
+ TODO: check
CVE-2014-5413 (Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 ...)
NOT-FOR-US: Schneider Electric
CVE-2014-5412 (Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 ...)
More information about the Secure-testing-commits
mailing list