[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 4 commits: Process one NFU

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8fb5cf08 by Salvatore Bonaccorso at 2017-12-30T07:57:03+01:00
Process one NFU

- - - - -
0db73214 by Salvatore Bonaccorso at 2017-12-30T07:57:24+01:00
Add rails issues, undetermined yet

- - - - -
1931fcd3 by Salvatore Bonaccorso at 2017-12-30T07:57:45+01:00
Add new (undetermined) php-horde issue

- - - - -
89cdfe8e by Salvatore Bonaccorso at 2017-12-30T07:58:00+01:00
CVE-2017-17760: Add new opencv issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -516,7 +516,7 @@ CVE-2017-17934 (ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c
 	NOTE: https://github.com/ImageMagick/ImageMagick/commit/3755d2289b032919c065f6ab11ef570063f7f828
 	NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/08278c7cf1c0b4f1da4cdcfaa857ff6b2373a1b2
 CVE-2017-17933 (cgi/surgeftpmgr.cgi (aka the Web Manager interface on TCP port 7021 or ...)
-	TODO: check
+	NOT-FOR-US: NetWin SurgeFTP
 CVE-2017-17932 (A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ...)
 	NOT-FOR-US: ALLPlayer
 CVE-2017-17931 (PHP Scripts Mall Resume Clone Script has SQL Injection via the ...)
@@ -542,15 +542,23 @@ CVE-2017-17922
 CVE-2017-17921
 	RESERVED
 CVE-2017-17920 (SQL injection vulnerability in the 'reorder' method in Ruby on Rails ...)
-	TODO: check
+	- rails <undetermined>
+	NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
+	TODO: check (and other possible earlier source packages)
 CVE-2017-17919 (SQL injection vulnerability in the 'order' method in Ruby on Rails ...)
-	TODO: check
+	- rails <undetermined>
+	NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
+	TODO: check (and other possible earlier source packages)
 CVE-2017-17918
 	RESERVED
 CVE-2017-17917 (SQL injection vulnerability in the 'where' method in Ruby on Rails ...)
-	TODO: check
+	- rails <undetermined>
+	NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
+	TODO: check (and other possible earlier source packages)
 CVE-2017-17916 (SQL injection vulnerability in the 'find_by' method in Ruby on Rails ...)
-	TODO: check
+	- rails <undetermined>
+	NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
+	TODO: check (and other possible earlier source packages)
 CVE-2017-17915 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based ...)
 	- graphicsmagick 1.3.27-3
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/1721f1b7e67a
@@ -1078,7 +1086,8 @@ CVE-2017-17782 (In GraphicsMagick 1.3.27a, there is a heap-based buffer over-rea
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=8e3d2264109c
 	NOTE: https://sourceforge.net/p/graphicsmagick/bugs/530/
 CVE-2017-17781 (In Horde Groupware through 5.2.22, SQL Injection exists via the group ...)
-	TODO: check
+	- php-horde <undetermined>
+	NOTE: http://code610.blogspot.com/2017/12/modus-operandi-horde-52x.html
 CVE-2017-17780 (The Clockwork SMS clockwork-test-message.php component has XSS via a ...)
 	NOT-FOR-US: Clockwork SMS plugins for WordPress
 CVE-2017-17779 (Paid To Read Script 2.0.5 has SQL injection via the referrals.php id ...)
@@ -1171,6 +1180,9 @@ CVE-2017-17787 (In GIMP 2.8.22, there is a heap-based buffer over-read in ...)
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790853
 	NOTE: Crash in desktop tool, no/negligable security impact
 CVE-2017-17760 (OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData ...)
+	- opencv <unfixed>
+	NOTE: https://github.com/opencv/opencv/issues/10351
+	NOTE: MISC:https://github.com/opencv/opencv/pull/10369/commits/7bbe1a53cfc097b82b1589f7915a2120de39274c
 	TODO: check
 CVE-2017-17759 (Conarc iChannel allows remote attackers to obtain sensitive ...)
 	NOT-FOR-US: Conarc iChannel



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3d1eb41b76511e626bd23b8c7cac6af31403150d...89cdfe8ef6215d3dcf164a7bac0dc5b8712b6390

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3d1eb41b76511e626bd23b8c7cac6af31403150d...89cdfe8ef6215d3dcf164a7bac0dc5b8712b6390
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20171230/d29edfa9/attachment.html>