[Secure-testing-commits] r55169 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Mon Aug 28 21:10:14 UTC 2017
Author: sectracker
Date: 2017-08-28 21:10:14 +0000 (Mon, 28 Aug 2017)
New Revision: 55169
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-08-28 20:44:43 UTC (rev 55168)
+++ data/CVE/list 2017-08-28 21:10:14 UTC (rev 55169)
@@ -1,3 +1,13 @@
+CVE-2017-13715 (The __skb_flow_dissect function in net/core/flow_dissector.c in the ...)
+ TODO: check
+CVE-2017-13714
+ RESERVED
+CVE-2017-13713
+ RESERVED
+CVE-2017-13712 (NULL Pointer Dereference in the id3v2AddAudioDuration function in ...)
+ TODO: check
+CVE-2017-13711
+ RESERVED
CVE-2017-XXXX [stack-based buffer overflow write in pgxtoimage]
- openjpeg2 <unfixed>
NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9
@@ -1642,16 +1652,16 @@
CVE-2017-12955 (There is a heap-based buffer overflow in basicio.cpp of Exiv2 0.26. The ...)
- exiv2 <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482295
-CVE-2017-12954
- RESERVED
-CVE-2017-12953
- RESERVED
-CVE-2017-12952
- RESERVED
-CVE-2017-12951
- RESERVED
-CVE-2017-12950
- RESERVED
+CVE-2017-12954 (The gig::Region::GetSampleFromWavePool function in gig.cpp in libgig ...)
+ TODO: check
+CVE-2017-12953 (The gig::Instrument::UpdateRegionKeyTable function in gig.cpp in ...)
+ TODO: check
+CVE-2017-12952 (The LoadString function in helper.h in libgig 4.0.0 allows remote ...)
+ TODO: check
+CVE-2017-12951 (The gig::DimensionRegion::CreateVelocityTable function in gig.cpp in ...)
+ TODO: check
+CVE-2017-12950 (The gig::Region::Region function in gig.cpp in libgig 4.0.0 allows ...)
+ TODO: check
CVE-2017-12949 (lib\modules\contributors\contributor_list_table.php in the Podlove ...)
NOT-FOR-US: Podlove Podcast Publisher plugin for Wordpress
CVE-2017-12948 (Core\Admin\PFTemplater.php in the PressForward plugin 4.3.0 and earlier ...)
@@ -1789,26 +1799,19 @@
RESERVED
CVE-2017-12893
RESERVED
-CVE-2017-12925
- RESERVED
+CVE-2017-12925 (Double free vulnerability in DfFromLB in docfile.cxx in libfpx ...)
NOT-FOR-US: libfpx
-CVE-2017-12924
- RESERVED
+CVE-2017-12924 (CDirVector::GetTable in dirfunc.hxx in libfpx 1.3.1_p6 allows remote ...)
NOT-FOR-US: libfpx
-CVE-2017-12923
- RESERVED
+CVE-2017-12923 (OLEStream::WriteVT_LPSTR in olestrm.cpp in libfpx 1.3.1_p6 allows ...)
NOT-FOR-US: libfpx
-CVE-2017-12922
- RESERVED
+CVE-2017-12922 (wchar.c in libfpx 1.3.1_p6 allows remote attackers to cause a denial ...)
NOT-FOR-US: libfpx
-CVE-2017-12921
- RESERVED
+CVE-2017-12921 (PFileFlashPixView::GetGlobalInfoProperty in f_fpxvw.cpp in libfpx ...)
NOT-FOR-US: libfpx
-CVE-2017-12920
- RESERVED
+CVE-2017-12920 (CDirectory::GetDirEntry in dir.cxx in libfpx 1.3.1_p6 allows remote ...)
NOT-FOR-US: libfpx
-CVE-2017-12919
- RESERVED
+CVE-2017-12919 (Heap-based buffer overflow in OLEStream::WriteVT_LPSTR in olestrm.cpp ...)
NOT-FOR-US: libfpx
CVE-2017-12927 (A cross-site scripting vulnerability exists in Cacti 1.1.17 in the ...)
- cacti 1.1.17+ds1-2 (bug #872478)
@@ -2353,14 +2356,12 @@
RESERVED
CVE-2014-10039
RESERVED
-CVE-2017-12877 [use-after-free in DestroyImage (image.c)]
- RESERVED
+CVE-2017-12877 (Use-after-free vulnerability in the DestroyImage function in image.c ...)
- imagemagick <unfixed> (bug #872373)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/662
NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/98dda239ec398dd56453460849b4c9057fc424e5
NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/04178de2247e353fc095846784b9a10fefdbf890
-CVE-2017-12876 [heap-based buffer overflow in .omp_outlined..32 (enhance.c)]
- RESERVED
+CVE-2017-12876 (Heap-based buffer overflow in enhance.c in ImageMagick before 7.0.6-6 ...)
- imagemagick <unfixed> (bug #872374)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/663
NOTE: https://github.com/ImageMagick/ImageMagick/commit/1cc6f0ccc92c20c7cab6c4a7335daf29c91f0d8e
@@ -2475,8 +2476,8 @@
RESERVED
CVE-2017-12841
RESERVED
-CVE-2017-12840
- RESERVED
+CVE-2017-12840 (A kernel driver, namely DLMFENC.sys, bundled with the DESLock+ client ...)
+ TODO: check
CVE-2017-12839
RESERVED
CVE-2017-12838
@@ -4294,10 +4295,10 @@
RESERVED
CVE-2017-12078
RESERVED
-CVE-2017-12077
- RESERVED
-CVE-2017-12076
- RESERVED
+CVE-2017-12077 (Uncontrolled Resource Consumption vulnerability in ...)
+ TODO: check
+CVE-2017-12076 (Uncontrolled Resource Consumption vulnerability in ...)
+ TODO: check
CVE-2017-12075
RESERVED
CVE-2017-12074 (Directory traversal vulnerability in the ...)
@@ -5121,6 +5122,7 @@
NOTE: https://sourceforge.net/p/lame/bugs/460/
NOTE: Duplicate/same as: https://blogs.gentoo.org/ago/2017/06/17/lame-divide-by-zero-in-parse_wave_header-get_audio-c/
CVE-2017-11719 (The dnxhd_decode_header function in libavcodec/dnxhddec.c in FFmpeg ...)
+ {DSA-3957-1}
- ffmpeg 7:3.3.3-1
- libav <removed>
NOTE: https://github.com/FFmpeg/FFmpeg/commit/296debd213bd6dce7647cedd34eb64e5b94cdc92
@@ -5286,6 +5288,7 @@
CVE-2017-11666 (Cross-site scripting (XSS) vulnerability in js/ViewerPanel.js in the ...)
NOT-FOR-US: Kopano
CVE-2017-11665 (The ff_amf_get_field_value function in libavformat/rtmppkt.c in FFmpeg ...)
+ {DSA-3957-1}
- ffmpeg 7:3.3.3-1
NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ffcc82219cef0928bed2d558b19ef6ea35634130
NOTE: Fixed in 3.2.7
@@ -6123,6 +6126,7 @@
NOTE: http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
NOTE: https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5
CVE-2017-11399 (Integer overflow in the ape_decode_frame function in ...)
+ {DSA-3957-1}
- ffmpeg 7:3.3.3-1
NOTE: https://github.com/FFmpeg/FFmpeg/commit/ba4beaf6149f7241c8bd85fe853318c2f6837ad0
NOTE: Fixed in 3.2.7
@@ -7827,44 +7831,44 @@
RESERVED
CVE-2017-10845
RESERVED
-CVE-2017-10844
- RESERVED
-CVE-2017-10843
- RESERVED
-CVE-2017-10842
- RESERVED
-CVE-2017-10841
- RESERVED
-CVE-2017-10840
- RESERVED
-CVE-2017-10839
- RESERVED
-CVE-2017-10838
- RESERVED
-CVE-2017-10837
- RESERVED
-CVE-2017-10836
- RESERVED
-CVE-2017-10835
- RESERVED
-CVE-2017-10834
- RESERVED
-CVE-2017-10833
- RESERVED
-CVE-2017-10832
- RESERVED
-CVE-2017-10831
- RESERVED
-CVE-2017-10830
- RESERVED
+CVE-2017-10844 (baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to ...)
+ TODO: check
+CVE-2017-10843 (baserCMS version 3.0.14 and earlier, 4.0.5 and earlier allows remote ...)
+ TODO: check
+CVE-2017-10842 (SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 ...)
+ TODO: check
+CVE-2017-10841 (Directory traversal vulnerability in WebCalendar 1.2.7 and earlier ...)
+ TODO: check
+CVE-2017-10840 (Cross-site scripting vulnerability in WebCalendar 1.2.7 and earlier ...)
+ TODO: check
+CVE-2017-10839 (SQL injection vulnerability in the SEO Panel prior to version 3.11.0 ...)
+ TODO: check
+CVE-2017-10838 (Cross-site scripting vulnerability in SEO Panel prior to version ...)
+ TODO: check
+CVE-2017-10837 (Cross-site scripting vulnerability in BackupGuard prior to version ...)
+ TODO: check
+CVE-2017-10836 (Untrusted search path vulnerability in Optimal Guard 1.1.21 and ...)
+ TODO: check
+CVE-2017-10835 ("Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows ...)
+ TODO: check
+CVE-2017-10834 (Directory traversal vulnerability in "Dokodemo eye Smart HD" SCR02HD ...)
+ TODO: check
+CVE-2017-10833 ("Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows ...)
+ TODO: check
+CVE-2017-10832 ("Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows ...)
+ TODO: check
+CVE-2017-10831 (Untrusted search path vulnerability in The electronic authentication ...)
+ TODO: check
+CVE-2017-10830 (Untrusted search path vulnerability in Security Setup Tool all ...)
+ TODO: check
CVE-2017-10829
RESERVED
-CVE-2017-10828
- RESERVED
-CVE-2017-10827
- RESERVED
-CVE-2017-10826
- RESERVED
+CVE-2017-10828 (Untrusted search path vulnerability in Flets Install Tool all versions ...)
+ TODO: check
+CVE-2017-10827 (Untrusted search path vulnerability in Flets Azukeru for Windows Auto ...)
+ TODO: check
+CVE-2017-10826 (Untrusted search path vulnerability in Security Kinou Mihariban ...)
+ TODO: check
CVE-2017-10825
RESERVED
CVE-2017-10824 (Untrusted search path vulnerability in TDB CA TypeA use software ...)
@@ -7891,8 +7895,8 @@
RESERVED
CVE-2017-10813
RESERVED
-CVE-2017-10812
- RESERVED
+CVE-2017-10812 (Untrusted search path vulnerability in Photo Collection PC Software ...)
+ TODO: check
CVE-2017-10811 (Buffalo WCR-1166DS devices with firmware 1.30 and earlier allow an ...)
NOT-FOR-US: Buffalo WCR-1166DS devices
CVE-2017-10810 (Memory leak in the virtio_gpu_object_create function in ...)
@@ -8440,6 +8444,7 @@
[wheezy] - libav <not-affected> (Vulnerable code not present, WebP decoder feature introduced in v10)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef
CVE-2017-9993 (FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, ...)
+ {DSA-3957-1}
- ffmpeg 7:3.2.6-1
- libav <undetermined>
NOTE: https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
@@ -8489,10 +8494,10 @@
RESERVED
CVE-2017-9980 (In Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, the ...)
NOT-FOR-US: Green Packet
-CVE-2017-9979
- RESERVED
-CVE-2017-9978
- RESERVED
+CVE-2017-9979 (On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the ...)
+ TODO: check
+CVE-2017-9978 (On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw ...)
+ TODO: check
CVE-2017-9977 (AVG AntiVirus for MacOS with scan engine before 4668 might allow ...)
NOT-FOR-US: AVG
CVE-2017-9976
@@ -11017,6 +11022,7 @@
NOT-FOR-US: Blackcat CMS
CVE-2017-9608 [NULL pointer exception]
RESERVED
+ {DSA-3957-1}
- ffmpeg 7:3.3.3-1
NOTE: http://www.openwall.com/lists/oss-security/2017/08/14/1
NOTE: https://github.com/FFmpeg/FFmpeg/commit/611b35627488a8d0763e75c25ee0875c5b7987dd
@@ -14621,8 +14627,7 @@
NOT-FOR-US: admidio
CVE-2017-8381 (XnView Classic for Windows Version 2.40 allows user-assisted remote ...)
NOT-FOR-US: XnView Classic for Windows
-CVE-2017-8380 [scsi: megasas: out-of-bounds read in megasas_mmio_write]
- RESERVED
+CVE-2017-8380 (Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 ...)
- qemu 1:2.8+dfsg-5 (bug #862282)
[jessie] - qemu <not-affected> (Vulnerable code introduced later)
[wheezy] - qemu <not-affected> (Vulnerable code introduced later)
@@ -20269,8 +20274,7 @@
NOTE: https://github.com/Thomas-Tsai/partclone/commit/96401fb5b7221fc5f44df7079485c395f9c3a428
CVE-2017-6595
RESERVED
-CVE-2017-6594 [transit path validation]
- RESERVED
+CVE-2017-6594 (The transit path validation code in Heimdal before 7.3 might allow ...)
- heimdal 7.1.0+dfsg-12
[jessie] - heimdal <no-dsa> (Minor issue)
[wheezy] - heimdal <no-dsa> (Minor issue)
@@ -28739,8 +28743,8 @@
RESERVED
CVE-2017-3758
RESERVED
-CVE-2017-3757
- RESERVED
+CVE-2017-3757 (An unquoted service path vulnerability was identified in the driver ...)
+ TODO: check
CVE-2017-3756 (A privilege escalation vulnerability was identified in Lenovo Active ...)
NOT-FOR-US: Lenovo
CVE-2017-3755
@@ -28761,8 +28765,8 @@
NOT-FOR-US: Lenovo
CVE-2017-3747 (Privilege escalation vulnerability in Lenovo Nerve Center for Windows ...)
NOT-FOR-US: Lenovo
-CVE-2017-3746
- RESERVED
+CVE-2017-3746 (ThinkPad USB 3.0 Ethernet Adapter (part number 4X90E51405) driver, ...)
+ TODO: check
CVE-2017-3745 (In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data ...)
NOT-FOR-US: Lenovo
CVE-2017-3744 (In the IMM2 firmware of Lenovo System x servers, remote commands ...)
@@ -28783,8 +28787,8 @@
RESERVED
CVE-2017-3736
RESERVED
-CVE-2017-3735
- RESERVED
+CVE-2017-3735 (While parsing an IPAdressFamily extension in an X.509 certificate, it ...)
+ TODO: check
CVE-2017-3734
REJECTED
CVE-2017-3733 (During a renegotiation handshake if the Encrypt-Then-Mac extension is ...)
@@ -33342,16 +33346,16 @@
RESERVED
CVE-2017-2259
RESERVED
-CVE-2017-2258
- RESERVED
-CVE-2017-2257
- RESERVED
-CVE-2017-2256
- RESERVED
-CVE-2017-2255
- RESERVED
-CVE-2017-2254
- RESERVED
+CVE-2017-2258 (Directory traversal vulnerability in Cybozu Garoon 4.2.4 to 4.2.5 ...)
+ TODO: check
+CVE-2017-2257 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.5 ...)
+ TODO: check
+CVE-2017-2256 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.5 ...)
+ TODO: check
+CVE-2017-2255 (Cross-site scripting vulnerability in Cybozu Garoon 3.7.0 to 4.2.5 ...)
+ TODO: check
+CVE-2017-2254 (Cybozu Garoon 3.5.0 to 4.2.5 allows an attacker to cause a denial of ...)
+ TODO: check
CVE-2017-2253 (Untrusted search path vulnerability in Installer of Yahoo! Toolbar ...)
NOT-FOR-US: Installer of Yahoo! Toolbar (for Internet explorer)
CVE-2017-2252 (Untrusted search path vulnerability in Self-extracting archive files ...)
@@ -33374,8 +33378,8 @@
NOT-FOR-US: MFC-J960DWN firmware
CVE-2017-2243 (Cross-site scripting vulnerability in Responsive Lightbox prior to ...)
NOT-FOR-US: Responsive Lightbox
-CVE-2017-2242
- RESERVED
+CVE-2017-2242 (Untrusted search path vulnerability in Flets Setsuzoku Tool for ...)
+ TODO: check
CVE-2017-2241 (SQL injection vulnerability in the AssetView for MacOS Ver.9.2.0 and ...)
NOT-FOR-US: AssetView for MacOS
CVE-2017-2240 (Directory traversal vulnerability in AssetView for MacOS Ver.9.2.0 and ...)
@@ -34880,8 +34884,8 @@
RESERVED
CVE-2017-1490
RESERVED
-CVE-2017-1489
- RESERVED
+CVE-2017-1489 (IBM Security Access Manager 6.1, 7.0, 8.0, and 9.0 e-community ...)
+ TODO: check
CVE-2017-1488
RESERVED
CVE-2017-1487
@@ -35106,8 +35110,7 @@
RESERVED
CVE-2017-1377 (IBM Runbook Automation reveals sensitive information in error messages ...)
NOT-FOR-US: IBM
-CVE-2017-1376
- RESERVED
+CVE-2017-1376 (A flaw in the IBM J9 VM class verifier allows untrusted code to ...)
NOT-FOR-US: IBM JDK
CVE-2017-1375
RESERVED
@@ -35639,8 +35642,8 @@
RESERVED
CVE-2017-1111
RESERVED
-CVE-2017-1110
- RESERVED
+CVE-2017-1110 (IBM Curam Social Program Management 6.0, 6.1, 6.2, and 7.0 contains an ...)
+ TODO: check
CVE-2017-1109
RESERVED
CVE-2017-1108
@@ -36148,8 +36151,8 @@
RESERVED
CVE-2016-9733 (IBM Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cross-site ...)
NOT-FOR-US: IBM
-CVE-2016-9732
- RESERVED
+CVE-2016-9732 (IBM Curam Social Program Management 6.0, 6.1, 6.2 and 7.0 is ...)
+ TODO: check
CVE-2016-9731 (IBM Business Process Manager is vulnerable to cross-site scripting. ...)
NOT-FOR-US: IBM
CVE-2016-9730 (IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request ...)
@@ -46471,8 +46474,7 @@
NOTE: http://tracker.ceph.com/issues/13207
NOTE: https://github.com/ceph/ceph/pull/6057
NOTE: https://github.com/ceph/ceph/pull/11045
-CVE-2016-7030 [DoS attack against kerberized services by abusing password policy]
- RESERVED
+CVE-2016-7030 (FreeIPA uses a default password policy that locks an account after 5 ...)
- freeipa <unfixed> (bug #849970)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1370493
NOTE: https://fedorahosted.org/freeipa/ticket/6561
@@ -59528,8 +59530,8 @@
RESERVED
CVE-2016-2971
RESERVED
-CVE-2016-2970
- RESERVED
+CVE-2016-2970 (IBM Sametime 8.5 and 9.0 meetings server may provide detailed ...)
+ TODO: check
CVE-2016-2969
RESERVED
CVE-2016-2968 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.7 allows ...)
@@ -68283,8 +68285,7 @@
NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c44179bce874
CVE-2016-0635 (Unspecified vulnerability in the Enterprise Manager Ops Center ...)
NOT-FOR-US: MySQL Enterprise Monitor
-CVE-2016-0634 [bash prompt expanding return value from gethostname()]
- RESERVED
+CVE-2016-0634 (The expansion of '\h' in the prompt string in bash 4.3 allows remote ...)
- bash 4.4-1 (unimportant)
[jessie] - bash 4.3-11+deb8u1
NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/8
@@ -82693,8 +82694,8 @@
NOT-FOR-US: SAP Sybase Unwired Platform Online Data Proxy
CVE-2015-3977 (Buffer overflow in Schneider Electric IMT25 Magnetic Flow DTM before ...)
NOT-FOR-US: Schneider Electric
-CVE-2015-3976
- RESERVED
+CVE-2015-3976 (Cross-site scripting (XSS) vulnerability in GE Multilink ...)
+ TODO: check
CVE-2015-3975
REJECTED
CVE-2015-3974 (EasyIO EasyIO-30P-SF controllers with firmware before 0.5.21 and 2.x ...)
@@ -88501,8 +88502,8 @@
RESERVED
CVE-2013-7431
RESERVED
-CVE-2013-7430
- RESERVED
+CVE-2013-7430 (Cross-site scripting (XSS) vulnerability in the Google Maps plugin ...)
+ TODO: check
CVE-2013-7429
RESERVED
CVE-2013-7428
@@ -88986,8 +88987,8 @@
NOTE: Request to mark the package as unsupported in #779104
CVE-2015-1878 (Thales nShield Connect hardware models 500, 1500, 6000, 500+, 1500+, ...)
NOT-FOR-US: nShield Connect hardware models
-CVE-2015-1876
- RESERVED
+CVE-2015-1876 (Directory traversal vulnerability in ES File Explorer 3.2.4.1. ...)
+ TODO: check
CVE-2015-1875 (SQL injection vulnerability in a2billing/customer/iridium_threed.php ...)
NOT-FOR-US: Elastix
CVE-2015-1874 (Cross-site request forgery (CSRF) vulnerability in the Contact Form DB ...)
@@ -89834,8 +89835,7 @@
NOT-FOR-US: Landsknecht Adminsystems
CVE-2015-1603 (Multiple cross-site scripting (XSS) vulnerabilities in Adminsystems ...)
NOT-FOR-US: Landsknecht Adminsystems
-CVE-2015-1600
- RESERVED
+CVE-2015-1600 (Information disclosure vulnerability in Netatmo Indoor Module firmware ...)
NOT-FOR-US: Netatmo Weather Station
CVE-2015-1588 (Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange ...)
NOT-FOR-US: Open-Xchange
@@ -90250,8 +90250,7 @@
NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac (v3.19-rc5)
NOTE: Introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9ac12ef099707f405d7478009564302d7ed8393 (v3.18-rc1)
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=91441
-CVE-2015-2046 [XSS, incomplete fix for CVE-2014-8986]
- RESERVED
+CVE-2015-2046 (Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later ...)
- mantis <removed>
[wheezy] - mantis <no-dsa> (Minor issue)
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
@@ -90460,12 +90459,12 @@
RESERVED
CVE-2015-1446
RESERVED
-CVE-2015-1445
- RESERVED
+CVE-2015-1445 (HTTP header injection in the httpd package in fli4l before 3.10.1 and ...)
+ TODO: check
CVE-2015-1444 (Multiple cross-site scripting (XSS) vulnerabilities in the web ...)
NOT-FOR-US: fli4l
-CVE-2015-1443
- RESERVED
+CVE-2015-1443 (The httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30 ...)
+ TODO: check
CVE-2015-1442 (SQL injection vulnerability in views/zero_transact_user.php in the ...)
NOT-FOR-US: ZeroCMS
CVE-2015-1440
@@ -90582,8 +90581,7 @@
[wheezy] - phpbb3 3.0.10-4+deb7u2
[squeeze] - phpbb3 <no-dsa> (Minor issue)
NOTE: https://tracker.phpbb.com/browse/PHPBB3-13531
-CVE-2015-1430 [buffer overrun in acknowledge.c(gi)]
- RESERVED
+CVE-2015-1430 (Buffer overflow in xymon 4.3.17-1. ...)
- xymon 4.3.17-5 (low; bug #776007)
[squeeze] - xymon <not-affected> (Vulnerable code not present)
[wheezy] - xymon <not-affected> (Vulnerable code not present)
@@ -90792,11 +90790,9 @@
NOT-FOR-US: typo3 extension
CVE-2015-1402 (Cross-site scripting (XSS) vulnerability in the Content Rating ...)
NOT-FOR-US: typo3 extension
-CVE-2015-1401
- RESERVED
+CVE-2015-1401 (Improper Authentication vulnerability in the "LDAP / SSO ...)
NOT-FOR-US: typo3 extension
-CVE-2015-1554 [can be crashed by some network traffic]
- RESERVED
+CVE-2015-1554 (kgb-bot 1.33-2 allows remote attackers to cause a denial of service ...)
- kgb-bot <unfixed> (low; bug #776424)
[stretch] - kgb-bot <no-dsa> (Minor issue)
[jessie] - kgb-bot <no-dsa> (Minor issue)
@@ -90891,7 +90887,7 @@
NOTE: https://bugs.launchpad.net/python-dbusmock/+bug/1453815
CVE-2015-1325 (Race condition in Apport before 2.17.2-0ubuntu1.1 as packaged in ...)
[experimental] - apport 2.17.3-1
-CVE-2015-1324 (apport before 2.17.2-0ubuntu1.1 as packaged in Ubuntu 15.04, before ...)
+CVE-2015-1324 (Apport before 2.17.2-0ubuntu1.1 as packaged in Ubuntu 15.04, before ...)
[experimental] - apport 2.17.3-1
CVE-2015-1323 (The simulate dbus method in aptdaemon before 1.1.1+bzr982-0ubuntu3.1 ...)
{DLA-261-1}
@@ -90943,8 +90939,7 @@
NOT-FOR-US: COMODO Backup
CVE-2014-9632 (The TDI driver (avgtdix.sys) in AVG Internet Security before 2013.3495 ...)
NOT-FOR-US: AVG
-CVE-2015-1386 [directory traversal]
- RESERVED
+CVE-2015-1386 (Directory traversal vulnerability in unshield 1.0-1. ...)
- unshield 1.4-1 (low; bug #776193)
[jessie] - unshield <no-dsa> (Minor issue)
[wheezy] - unshield <no-dsa> (Minor issue)
@@ -91523,8 +91518,7 @@
NOT-FOR-US: Mango Automation
CVE-2015-1178 (Multiple cross-site scripting (XSS) vulnerabilities in cart.php in ...)
NOT-FOR-US: X-Cart
-CVE-2015-1177
- RESERVED
+CVE-2015-1177 (Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.2. ...)
NOT-FOR-US: Exponent CMS
CVE-2015-1176 (Cross-site scripting (XSS) vulnerability in upload/scp/tickets.php in ...)
NOT-FOR-US: osTicket
@@ -92047,8 +92041,7 @@
NOTE: Patch: https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526
CVE-2015-1200 (Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for ...)
- pxz 4.999.99~beta3+git659fc9b-3 (bug #775306)
-CVE-2015-1199 [directory traversal vulnerabilities]
- RESERVED
+CVE-2015-1199 (Directory traversal vulnerability in ppmd 10.1-5. ...)
- ppmd <removed> (low; bug #775218)
[jessie] - ppmd <no-dsa> (Minor issue)
[wheezy] - ppmd <no-dsa> (Minor issue)
@@ -92242,8 +92235,8 @@
NOT-FOR-US: Inductive Automation Ignition
CVE-2015-0975
RESERVED
-CVE-2015-0974
- RESERVED
+CVE-2015-0974 (Untrusted search path vulnerability in ZTE Datacard MF19 0V1.0.0B04 ...)
+ TODO: check
CVE-2015-0972 (Pearson ProctorCache before 2015.1.17 uses the same hardcoded password ...)
NOT-FOR-US: Pearson ProctorCache
CVE-2015-0971 (The DER parser in Suricata before 2.0.8 allows remote attackers to ...)
@@ -92337,8 +92330,7 @@
NOT-FOR-US: SerVision HVG Video Gateway
CVE-2015-0929 (time.htm in the web interface on SerVision HVG Video Gateway devices ...)
NOT-FOR-US: SerVision HVG Video Gateway
-CVE-2015-0928 [DCERPC traffic parsing issue]
- RESERVED
+CVE-2015-0928 (libhtp 0.5.15 allows remote attackers to cause a denial of service ...)
- suricata 2.0.7-1
[wheezy] - suricata <no-dsa> (Unusable in wheezy, planned for removal)
[squeeze] - suricata <no-dsa> (Minor issue)
@@ -92566,7 +92558,7 @@
CVE-2015-5701 (mktexlsr revision 36855, and before revision 36626 as packaged in ...)
- texlive-bin <not-affected> (Vulnerable code not reintroduced, patch mktexlsr-use-mktemp still applied)
NOTE: https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=36626&r2=36855
-CVE-2015-5700 (mktexlsr revision 36855, and before revision 36626 as packaged in ...)
+CVE-2015-5700 (mktexlsr revision 22855 through revision 36625 as packaged in texlive ...)
- texlive-bin 2014.20140926.35254-5 (bug #775139)
[wheezy] - texlive-bin <no-dsa> (Minor issue)
[squeeze] - texlive-bin <no-dsa> (Minor issue)
@@ -93604,10 +93596,10 @@
NOT-FOR-US: SoftBB
CVE-2014-9559 (Cross-site scripting (XSS) vulnerability in SnipSnap 0.5.2a, 1.0b1, ...)
NOT-FOR-US: SnipSnap
-CVE-2014-9558
- RESERVED
-CVE-2014-9557
- RESERVED
+CVE-2014-9558 (Multiple SQL injection vulnerabilities in SmartCMS v.2. ...)
+ TODO: check
+CVE-2014-9557 (Multiple cross-site scripting (XSS) vulnerabilities in SmartCMS v.2. ...)
+ TODO: check
CVE-2014-9555
RESERVED
CVE-2014-9554
@@ -93665,8 +93657,7 @@
CVE-2014-9527 (HSLFSlideShow in Apache POI before 3.11 allows remote attackers to ...)
- libapache-poi-java 3.10.1-2 (low; bug #775171)
[wheezy] - libapache-poi-java <no-dsa> (Minor issue)
-CVE-2015-1198 [directory traversal vulnerabilities]
- RESERVED
+CVE-2015-1198 (Multiple directory traversal vulnerabilities in ha 0.999p+dfsg-5. ...)
- ha <removed> (low; bug #774954)
[squeeze] - ha <no-dsa> (Minor issue)
[wheezy] - ha <no-dsa> (Minor issue)
@@ -93795,8 +93786,8 @@
NOT-FOR-US: Social Microblogging PRO
CVE-2014-9515
RESERVED
-CVE-2014-9514
- RESERVED
+CVE-2014-9514 (Cross-site scripting (XSS) vulnerability in BMC Footprints Service ...)
+ TODO: check
CVE-2014-9512 (rsync 3.1.1 allows remote attackers to write to arbitrary files via a ...)
- rsync 3.1.1-3 (low; bug #778333)
[wheezy] - rsync <not-affected> (Affected sanitising functionality not yet present)
@@ -93854,8 +93845,8 @@
- request-tracker3.8 <removed> (unimportant)
CVE-2014-9470
RESERVED
-CVE-2014-9469
- RESERVED
+CVE-2014-9469 (Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, ...)
+ TODO: check
CVE-2014-9468 (Multiple cross-site scripting (XSS) vulnerabilities in InstantASP ...)
NOT-FOR-US: InstantASP InstantForum.NET
CVE-2014-9467
@@ -94113,8 +94104,7 @@
- linux-2.6 <not-affected> (Vulnerable code not present)
NOTE: http://marc.info/?l=linux-kernel&m=141986398232547&w=2
NOTE: http://marc.info/?l=linux-kernel&m=142047362307894&w=2
-CVE-2014-9513 [insecure use of temporary files]
- RESERVED
+CVE-2014-9513 (Insecure use of temporary files in xbindkeys-config 0.1.3-2 allows ...)
- xbindkeys-config <unfixed> (unimportant; bug #772473)
[jessie] - xbindkeys-config <no-dsa> (Minor issue)
[wheezy] - xbindkeys-config <no-dsa> (Minor issue)
@@ -94183,8 +94173,7 @@
CVE-2014-XXXX [CRAM-MD5 authentication bypass]
- dbmail <not-affected> (Only affects versions supporting cram-md5, so 3.0.0 and later)
NOTE: http://blog.gmane.org/gmane.mail.imap.dbmail/day=20141219
-CVE-2014-9483 [a left-click in Emacs sometimes modifies the PRIMARY selection]
- RESERVED
+CVE-2014-9483 (Emacs 24.4 allows remote attackers to bypass security restrictions. ...)
- emacs24 24.5+1-1 (unimportant; bug #774090)
- emacs23 <not-affected> (Only affects Emacs 24)
NOTE: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18939
@@ -95089,8 +95078,8 @@
RESERVED
CVE-2014-9313
RESERVED
-CVE-2014-9312
- RESERVED
+CVE-2014-9312 (Unrestricted File Upload vulnerability in Photo Gallery 1.2.5. ...)
+ TODO: check
CVE-2014-9311 (Cross-site scripting (XSS) vulnerability in admin.php in the ...)
NOT-FOR-US: Shareaholic plugin for WordPress
CVE-2014-9310 (Cross-site scripting (XSS) vulnerability in the WordPress Backup to ...)
@@ -96388,12 +96377,10 @@
- eglibc <removed> (high; bug #776391)
- glibc 2.18-1 (high)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=15014
-CVE-2015-0234
- RESERVED
+CVE-2015-0234 (Multiple temporary file creation vulnerabilities in pki-core 10.2.0. ...)
- dogtag-pki <unfixed> (unimportant)
NOTE: Rendered unexploitable by /tmp hardening in Debian kernel
-CVE-2015-0233
- RESERVED
+CVE-2015-0233 (Multiple insecure Temporary File vulnerabilities in 389 Administration ...)
- 389-admin 1.1.38-1 (unimportant)
NOTE: Rendered unexploitable by /tmp hardening in Debian kernel
CVE-2015-0232 (The exif_process_unicode function in ext/exif/exif.c in PHP before ...)
@@ -96485,8 +96472,7 @@
- moodle 2.7.5+dfsg-1 (bug #775842)
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE: https://moodle.org/mod/forum/discuss.php?d=278611#p1196676
-CVE-2015-0210 [wpa_supplicant: broken certificate subject check]
- RESERVED
+CVE-2015-0210 (wpa_supplicant 2.0-16 does not properly check certificate subject ...)
NOTE: likely to be REJECTed
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0210
CVE-2015-0209 (Use-after-free vulnerability in the d2i_ECPrivateKey function in ...)
@@ -96694,8 +96680,8 @@
NOT-FOR-US: IBM
CVE-2015-0115 (Cross-site request forgery (CSRF) vulnerability in IBM Leads 7.x, ...)
NOT-FOR-US: IBM
-CVE-2015-0114
- RESERVED
+CVE-2015-0114 (Stack-based buffer overflow in IBM V5R4, and IBM i Access for Windows ...)
+ TODO: check
CVE-2015-0113 (The Jazz help system in IBM Rational Collaborative Lifecycle ...)
NOT-FOR-US: IBM Rational Collaborative Lifecycle Management
CVE-2015-0112 (Jazz Team Server in Jazz Foundation in IBM Rational Collaborative ...)
@@ -96720,8 +96706,8 @@
NOT-FOR-US: IBM Business Process Manager
CVE-2015-0102
RESERVED
-CVE-2015-0101
- RESERVED
+CVE-2015-0101 (Cross-site scripting (XSS) vulnerability in IBM Business Process ...)
+ TODO: check
CVE-2015-0100 (Microsoft Internet Explorer 8 allows remote attackers to execute ...)
NOT-FOR-US: Microsoft Internet Explorer
CVE-2015-0099 (Microsoft Internet Explorer 10 allows remote attackers to execute ...)
@@ -97126,8 +97112,8 @@
NOT-FOR-US: IBM WebSphere Portal
CVE-2014-8901 (IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 ...)
NOT-FOR-US: IBM
-CVE-2014-8900
- RESERVED
+CVE-2014-8900 (Cross-site request forgery (CSRF) vulnerability in IBM UrbanCode ...)
+ TODO: check
CVE-2014-8899 (Cross-site scripting (XSS) vulnerability in the Collaboration Server ...)
NOT-FOR-US: IBM
CVE-2014-8898 (Cross-site scripting (XSS) vulnerability in the Collaboration Server ...)
@@ -97188,10 +97174,10 @@
NOTE: Starting with mime-support 3.53, MimeType entries in desktop
NOTE: files end up in /etc/mailcap, which introduces the user-initiated
NOTE: code execution.
-CVE-2014-8872
- RESERVED
-CVE-2014-8871
- RESERVED
+CVE-2014-8872 (Improper Verification of Cryptographic Signature in AVM FRITZ!Box 6810 ...)
+ TODO: check
+CVE-2014-8871 (Directory traversal vulnerability in hybris Commerce software suite ...)
+ TODO: check
CVE-2014-8870 (Open redirect vulnerability in mobiquo/smartbanner/welcome.php in the ...)
NOT-FOR-US: Woltlab Burning Board plugin Tapatalk
CVE-2014-8869 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
@@ -98368,12 +98354,12 @@
RESERVED
CVE-2014-8429 (Cross-site request forgery (CSRF) vulnerability in Xavoc Technocrats ...)
NOT-FOR-US: xEpan CMS
-CVE-2014-8428
- RESERVED
+CVE-2014-8428 (Privilege escalation vulnerability in Barracuda Load Balancer ...)
+ TODO: check
CVE-2014-8427
RESERVED
-CVE-2014-8426
- RESERVED
+CVE-2014-8426 (Hard coded weak credentials in Barracuda Load Balancer 5.0.0.015. ...)
+ TODO: check
CVE-2014-8425 (The management portal in ARRIS VAP2500 before FW08.41 allows remote ...)
NOT-FOR-US: Management portal in ARRIS VAP2500
CVE-2014-8424 (ARRIS VAP2500 before FW08.41 does not properly validate passwords, ...)
@@ -98471,8 +98457,8 @@
NOT-FOR-US: Corel Painter
CVE-2014-8394 (Multiple untrusted search path vulnerabilities in Corel CAD 2014 allow ...)
NOT-FOR-US: Corel CAD
-CVE-2014-8393
- RESERVED
+CVE-2014-8393 (DLL Hijacking vulnerability in CorelDRAW X7, Corel Photo-Paint X7, ...)
+ TODO: check
CVE-2014-8392
RESERVED
CVE-2014-8391 (The Web interface in Sendio before 7.2.4 does not properly handle ...)
@@ -98762,8 +98748,8 @@
NOT-FOR-US: Panasonic Network Camera
CVE-2014-8754 (Open redirect vulnerability in track-click.php in the Ad-Manager ...)
NOT-FOR-US: WordPress plugin ad-manager-for-wp
-CVE-2014-8753
- RESERVED
+CVE-2014-8753 (Multiple cross-site scripting (XSS) vulnerabilities in Cit-e-Net ...)
+ TODO: check
CVE-2014-8752 (Multiple cross-site scripting (XSS) vulnerabilities in view.php in ...)
NOT-FOR-US: JCE-Tech PHP Video Script
CVE-2014-8751 (Multiple cross-site scripting (XSS) vulnerabilities in goYWP WebPress ...)
@@ -99058,8 +99044,7 @@
- autofs 5.0.8-2 (bug #779591)
[wheezy] - autofs <not-affected> (Vulnerable code introduced in 5.0.8)
- autofs5 <not-affected> (Vulnerable code introduced in 5.0.8)
-CVE-2014-8168
- RESERVED
+CVE-2014-8168 (Red Hat Satellite 6 allows local users to access mongod and delete ...)
NOT-FOR-US: Red Hat Satellite
CVE-2014-8167
RESERVED
@@ -99075,8 +99060,7 @@
CVE-2014-8164
RESERVED
NOT-FOR-US: Red Hat CloudForms
-CVE-2014-8163
- RESERVED
+CVE-2014-8163 (Directory traversal vulnerability in the XMLRPC interface in Red Hat ...)
NOT-FOR-US: Red Hat Satellite
CVE-2014-8162 (XML external entity (XXE) in the RPC interface in Spacewalk and Red ...)
NOT-FOR-US: Red Hat Satellite
@@ -105946,10 +105930,10 @@
RESERVED
CVE-2014-5303
RESERVED
-CVE-2014-5302
- RESERVED
-CVE-2014-5301
- RESERVED
+CVE-2014-5302 (Directory traversal vulnerability in ServiceDesk Plus and Plus MSP v5 ...)
+ TODO: check
+CVE-2014-5301 (Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 ...)
+ TODO: check
CVE-2014-5300 (Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote ...)
NOT-FOR-US: Adaptive Computing Moab
CVE-2014-5299
@@ -107028,8 +107012,8 @@
NOT-FOR-US: ACME micro_httpd
CVE-2014-4926
RESERVED
-CVE-2014-4925
- RESERVED
+CVE-2014-4925 (Cross-site scripting (XSS) vulnerability in Good for Enterprise for ...)
+ TODO: check
CVE-2014-4924
RESERVED
CVE-2014-4923
@@ -120690,8 +120674,7 @@
- qemu-kvm <removed>
[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-0141
- RESERVED
+CVE-2014-0141 (Cross-site scripting (XSS) vulnerability in Red Hat Satellite 6.0.3. ...)
NOT-FOR-US: Red Hat Satellite
CVE-2014-0140 (Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows ...)
NOT-FOR-US: Red Hat CloudForms Management Engine
@@ -137743,8 +137726,7 @@
{DSA-2632-1}
- linux 3.2.39-1
- linux-2.6 <removed>
-CVE-2013-0870 [libavcodec/vp3.c: 14c8ee00ffd9d45e6e0c6f11a957ce7e56f7eb3a]
- RESERVED
+CVE-2013-0870 (The 'vp3_decode_frame' function in FFmpeg 1.1.4 moves threads check ...)
- ffmpeg <not-affected> (No threading support in vp3 from ffmpeg 0.5)
- libav <not-affected> (Vulnerable code added in ffmpeg post-merge)
CVE-2013-0869 (The field_end function in libavcodec/h264.c in FFmpeg before 1.1.2 ...)
@@ -149985,8 +149967,8 @@
NOTE: https://git.gnome.org/browse/libxml2/commit/?id=459eeb9dc752d5185f57ff6b135027f11981a626
CVE-2012-2806 (Heap-based buffer overflow in the get_sos function in jdmarker.c in ...)
- libjpeg-turbo <not-affected> (Fixed before initial release)
-CVE-2012-2805
- RESERVED
+CVE-2012-2805 (Unspecified vulnerability in FFMPEG 0.10 allows remote attackers to ...)
+ TODO: check
CVE-2012-2804 (Unspecified vulnerability in libavcodec/indeo3.c in FFmpeg before 0.11 ...)
- ffmpeg 7:2.4.1-1
- libav 6:0.8.5-1 (bug #688847)
More information about the Secure-testing-commits
mailing list