[Secure-testing-commits] r53756 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Fri Jul 21 21:10:17 UTC 2017
Author: sectracker
Date: 2017-07-21 21:10:17 +0000 (Fri, 21 Jul 2017)
New Revision: 53756
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-07-21 19:32:01 UTC (rev 53755)
+++ data/CVE/list 2017-07-21 21:10:17 UTC (rev 53756)
@@ -1,3 +1,29 @@
+CVE-2017-11518
+ RESERVED
+CVE-2017-11517 (Stack-based buffer overflow in GCoreServer.exe in the server in ...)
+ TODO: check
+CVE-2017-11516 (An XSS vulnerability exists in ...)
+ TODO: check
+CVE-2017-11515
+ RESERVED
+CVE-2017-11514
+ RESERVED
+CVE-2017-11513
+ RESERVED
+CVE-2017-11512
+ RESERVED
+CVE-2017-11511
+ RESERVED
+CVE-2017-11510
+ RESERVED
+CVE-2017-11509
+ RESERVED
+CVE-2017-11508
+ RESERVED
+CVE-2017-11507
+ RESERVED
+CVE-2017-11506
+ RESERVED
CVE-2017-XXXX [endless loop in ReadTXTImage]
- imagemagick <unfixed> (bug #869210)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/591
@@ -456,7 +482,8 @@
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
[jessie] - imagemagick 8:6.8.9.9-5+deb8u10
NOTE: https://github.com/ImageMagick/ImageMagick/issues/527
-CVE-2017-11505 [CPU exhaustion in ReadOneJNGImage]
+CVE-2017-11505 (The ReadOneJNGImage function in coders/png.c in ImageMagick through ...)
+ {DSA-3914-1}
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867824)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/526
CVE-2017-XXXX [memory exhaustion in ReadEPTImage in ept.c]
@@ -733,7 +760,7 @@
RESERVED
CVE-2017-1000083 [Evince command injection vulnerability in CBT handler]
RESERVED
- {DSA-3911-1 DLA-1031-1}
+ {DSA-3916-1 DSA-3911-1 DLA-1031-1}
- evince 3.22.1-4
- atril <unfixed> (bug #868500)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784630
@@ -5505,8 +5532,8 @@
NOT-FOR-US: Broadcom hardware issue
CVE-2017-9416 (Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, ...)
NOT-FOR-US: Odoo
-CVE-2017-9415
- RESERVED
+CVE-2017-9415 (Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 ...)
+ TODO: check
CVE-2017-9414
RESERVED
CVE-2017-9413
@@ -6514,7 +6541,6 @@
CVE-2017-9145 (TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not ...)
- tikiwiki <removed>
CVE-2017-11352 (In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a crash ...)
- {DSA-3914-1}
- imagemagick 8:6.9.7.4+dfsg-12 (bug #868469)
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
NOTE: https://github.com/ImageMagick/ImageMagick/issues/502
@@ -9288,7 +9314,7 @@
CVE-2017-8087
RESERVED
CVE-2017-8086 (Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in ...)
- {DLA-965-1}
+ {DLA-1035-1 DLA-965-1}
- qemu 1:2.8+dfsg-5 (bug #861348)
- qemu-kvm <removed>
NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4ffcdef4277a91af15a3c09f7d16af072c29f3f2 (v2.9.0-rc4)
@@ -9598,7 +9624,7 @@
NOT-FOR-US: Enalean Tuleap
CVE-2017-7980
RESERVED
- {DLA-939-1}
+ {DLA-1035-1 DLA-939-1}
- qemu 1:2.8+dfsg-4
- qemu-kvm <removed>
NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=026aeffcb4752054830ba203020ed6eb05bcaba8
@@ -10570,7 +10596,7 @@
CVE-2017-7719 (SQL injection in the Spider Event Calendar (aka spider-event-calendar) ...)
NOT-FOR-US: Spider Event Calendar
CVE-2017-7718 (hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local ...)
- {DLA-939-1}
+ {DLA-1035-1 DLA-939-1}
- qemu 1:2.8+dfsg-4
- qemu-kvm <removed>
NOTE: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=215902d7b6fb50c6fc216fc74f770858278ed904
@@ -11117,8 +11143,7 @@
RESERVED
CVE-2017-7543
RESERVED
-CVE-2017-7542
- RESERVED
+CVE-2017-7542 (The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux ...)
- linux <unfixed>
NOTE: Fixed by: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6
CVE-2017-7541
@@ -11317,7 +11342,7 @@
- samba 2:4.5.8+dfsg-2
NOTE: https://www.samba.org/samba/security/CVE-2017-7494.html
CVE-2017-7493 (Quick Emulator (Qemu) built with the VirtFS, host directory sharing ...)
- {DLA-965-1}
+ {DLA-1035-1 DLA-965-1}
- qemu 1:2.8+dfsg-6
- qemu-kvm <removed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1451709
@@ -11440,6 +11465,7 @@
NOTE: https://lkml.org/lkml/2017/4/3/724
CVE-2017-7471 [9p: virtfs allows guest to change filesystem attributes on host]
RESERVED
+ {DLA-1035-1}
- qemu 1:2.8+dfsg-5 (bug #860785)
[jessie] - qemu <not-affected> (Vulnerable code introduced with fix for CVE-2016-9602)
[wheezy] - qemu <not-affected> (Vulnerable code introduced with fix for CVE-2016-9602)
@@ -11756,7 +11782,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/1
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1847
CVE-2017-7377 (The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in ...)
- {DLA-965-1}
+ {DLA-1035-1 DLA-965-1}
- qemu 1:2.8+dfsg-4 (bug #859854)
[jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
@@ -22325,7 +22351,7 @@
CVE-2017-3735
RESERVED
CVE-2017-3734
- RESERVED
+ REJECTED
CVE-2017-3733 (During a renegotiation handshake if the Encrypt-Then-Mac extension is ...)
- openssl 1.1.0e-1
[jessie] - openssl <not-affected> (Only affects 1.1)
@@ -26678,15 +26704,15 @@
NOT-FOR-US: Juniper
CVE-2017-2340 (On Juniper Networks Junos OS 15.1 releases from 15.1R3 to 15.1R4, 16.1 ...)
NOT-FOR-US: Juniper
-CVE-2017-2339 (A security researcher testing a Juniper NetScreen Firewall+VPN found ...)
+CVE-2017-2339 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...)
NOT-FOR-US: Juniper
-CVE-2017-2338 (A security researcher testing a Juniper NetScreen Firewall+VPN found ...)
+CVE-2017-2338 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...)
NOT-FOR-US: Juniper
-CVE-2017-2337 (A security researcher testing a Juniper NetScreen Firewall+VPN found ...)
+CVE-2017-2337 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...)
NOT-FOR-US: Juniper
-CVE-2017-2336 (A security researcher testing a Juniper NetScreen Firewall+VPN found ...)
+CVE-2017-2336 (A reflected cross site scripting vulnerability in NetScreen WebUI of ...)
NOT-FOR-US: Juniper
-CVE-2017-2335 (A security researcher testing a Juniper NetScreen Firewall+VPN found ...)
+CVE-2017-2335 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...)
NOT-FOR-US: Juniper
CVE-2017-2334 (An information leak vulnerability in Juniper Networks NorthStar ...)
NOT-FOR-US: Juniper
@@ -28600,8 +28626,8 @@
RESERVED
CVE-2017-1382
RESERVED
-CVE-2017-1381
- RESERVED
+CVE-2017-1381 (IBM WebSphere Application Server Proxy Server or On-demand-router ...)
+ TODO: check
CVE-2017-1380
RESERVED
CVE-2017-1379 (IBM API Connect 5.0.0.0 could allow a remote attacker to obtain ...)
@@ -28614,14 +28640,14 @@
RESERVED
CVE-2017-1375
RESERVED
-CVE-2017-1374
- RESERVED
-CVE-2017-1373
- RESERVED
-CVE-2017-1372
- RESERVED
-CVE-2017-1371
- RESERVED
+CVE-2017-1374 (Sensitive data can be exposed in the IBM TRIRIGA Application Platform ...)
+ TODO: check
+CVE-2017-1373 (Reports executed in the IBM TRIRIGA Application Platform 3.3, 3.4, and ...)
+ TODO: check
+CVE-2017-1372 (IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 is vulnerable to ...)
+ TODO: check
+CVE-2017-1371 (Builder tools running in the IBM TRIRIGA Application Platform 3.3, ...)
+ TODO: check
CVE-2017-1370
RESERVED
CVE-2017-1369
@@ -28828,8 +28854,8 @@
NOT-FOR-US: IBM
CVE-2017-1268
RESERVED
-CVE-2017-1267
- RESERVED
+CVE-2017-1267 (IBM Security Guardium 10.0 and 10.1 processes patches, image backups ...)
+ TODO: check
CVE-2017-1266
RESERVED
CVE-2017-1265
@@ -31315,7 +31341,7 @@
NOTE: Fixed by: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
CVE-2016-9603 [cirrus: heap buffer overflow via vnc connection]
RESERVED
- {DLA-939-1}
+ {DLA-1035-1 DLA-939-1}
- qemu 1:2.8+dfsg-4 (bug #857744)
- qemu-kvm <removed>
- xen 4.4.0-1
@@ -31325,7 +31351,7 @@
NOTE: Upstream patch http://git.qemu-project.org/?p=qemu.git;a=commit;h=50628d3479e4f9aa97e323506856e394fe7ad7a6
CVE-2016-9602 [9p: virtfs allows guest to access host filesystem]
RESERVED
- {DLA-965-1}
+ {DLA-1035-1 DLA-965-1}
- qemu 1:2.8+dfsg-3 (bug #853006)
[jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
@@ -39839,11 +39865,11 @@
CVE-2016-7060 (The web interface in Red Hat QuickStart Cloud Installer (QCI) 1.0 does ...)
NOT-FOR-US: Red Hat QCI
CVE-2016-7059
- RESERVED
+ REJECTED
CVE-2016-7058
- RESERVED
+ REJECTED
CVE-2016-7057
- RESERVED
+ REJECTED
CVE-2016-7056 [ECDSA P-256 timing attack key recovery]
RESERVED
{DSA-3773-1 DLA-814-1}
@@ -72356,8 +72382,7 @@
NOT-FOR-US: abrt/libreport
CVE-2015-5301 (providers/saml2/admin.py in the Identity Provider (IdP) server in ...)
NOT-FOR-US: Ipsilon
-CVE-2015-5300 [MITM attacker can force ntpd to make a step larger than the panic threshold]
- RESERVED
+CVE-2015-5300 (The panic_gate check in NTP before 4.2.8p5 is only re-enabled after ...)
{DSA-3388-1 DLA-335-1}
- ntp 1:4.2.8p4+dfsg-2
NOTE: https://www.cs.bu.edu/~goldbe/NTPattack.html
@@ -72701,8 +72726,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/08/20/4
CVE-2015-5220 (The Web Console in Red Hat Enterprise Application Platform (EAP) ...)
NOT-FOR-US: JBoss EAP
-CVE-2015-5219 [infinite loop in sntp processing crafted packet]
- RESERVED
+CVE-2015-5219 (The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not ...)
{DSA-3388-1 DLA-335-1}
- ntp 1:4.2.8p3+dfsg-1 (low)
[jessie] - ntp <no-dsa> (Minor issue)
@@ -72788,16 +72812,14 @@
REJECTED
CVE-2015-5196
REJECTED
-CVE-2015-5195 [ntpd crash when processing config commands with statistics type]
- RESERVED
+CVE-2015-5195 (ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers ...)
{DSA-3388-1 DLA-335-1}
- ntp 1:4.2.8p3+dfsg-1 (low)
[jessie] - ntp <no-dsa> (Minor issue)
[wheezy] - ntp <no-dsa> (Minor issue)
[squeeze] - ntp <no-dsa> (Minor issue)
NOTE: https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be
-CVE-2015-5194 [crash with crafted logconfig configuration command]
- RESERVED
+CVE-2015-5194 (The log_config_command function in ntp_parser.y in ntpd in NTP before ...)
{DSA-3388-1 DLA-335-1}
- ntp 1:4.2.8p3+dfsg-1 (low)
[jessie] - ntp <no-dsa> (Minor issue)
@@ -74376,8 +74398,8 @@
NOTE: https://bugs.php.net/bug.php?id=69667
NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64
NOTE: http://www.openwall.com/lists/oss-security/2015/06/18/3
-CVE-2015-4639
- RESERVED
+CVE-2015-4639 (Multiple cross-site request forgery (CSRF) vulnerabilities in Koha ...)
+ TODO: check
CVE-2015-4638 (The FastL4 virtual server in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ...)
NOT-FOR-US: FastL4
CVE-2015-4637 (The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 ...)
@@ -76326,10 +76348,10 @@
RESERVED
CVE-2015-3933
RESERVED
-CVE-2015-3932
- RESERVED
-CVE-2015-3931
- RESERVED
+CVE-2015-3932 (Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML ...)
+ TODO: check
+CVE-2015-3931 (Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform ...)
+ TODO: check
CVE-2015-3930
RESERVED
CVE-2015-3929
@@ -76596,8 +76618,7 @@
[jessie] - horizon <not-affected> (Vulnerable code not present)
[wheezy] - horizon <not-affected> (Vulnerable code not present)
NOTE: http://www.openwall.com/lists/oss-security/2015/05/12/9
-CVE-2015-3886 [does not correctly check certificates for validity]
- RESERVED
+CVE-2015-3886 (libinfinity before 0.6.6-1 does not validate expired SSL certificates, ...)
- libinfinity 0.6.6-1 (bug #783601)
[jessie] - libinfinity 0.6.6-1~deb8u1
[wheezy] - libinfinity <not-affected> (vulnerable code not present)
@@ -77161,12 +77182,12 @@
RESERVED
CVE-2015-3641
RESERVED
-CVE-2015-3640
- RESERVED
-CVE-2015-3639
- RESERVED
-CVE-2015-3638
- RESERVED
+CVE-2015-3640 (phpMyBackupPro 2.5 and earlier does not properly escape the "." ...)
+ TODO: check
+CVE-2015-3639 (phpMyBackupPro 2.5 and earlier does not properly sanitize input ...)
+ TODO: check
+CVE-2015-3638 (phpMyBackupPro before 2.5 does not validate integer input, which ...)
+ TODO: check
CVE-2015-3637
RESERVED
CVE-2015-3635
@@ -77669,8 +77690,8 @@
RESERVED
CVE-2015-3422 (Cross-site scripting (XSS) vulnerability in SearchBlox before 8.2.1 ...)
NOT-FOR-US: SearchBlox
-CVE-2015-3421
- RESERVED
+CVE-2015-3421 (The eshop_checkout function in checkout.php in the Wordpress Eshop ...)
+ TODO: check
CVE-2015-3419
RESERVED
CVE-2015-3413
@@ -78523,8 +78544,7 @@
NOTE: http://redmine.lighttpd.net/issues/2646
CVE-2015-3199
REJECTED
-CVE-2015-3198
- RESERVED
+CVE-2015-3198 (The Undertow module of WildFly 9.x before 9.0.0.CR2 and 10.x before ...)
NOT-FOR-US: Undertow module of WildFly / JBOSS
CVE-2015-3197 (ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f ...)
{DLA-421-1}
@@ -78633,8 +78653,7 @@
- sosreport 3.2-2 (bug #769521)
NOTE: https://github.com/sosreport/sos/commit/d7759d3ddae5fe99a340c88a1d370d65cfa73fd6
NOTE: https://github.com/sosreport/sos/issues/425
-CVE-2015-3170
- RESERVED
+CVE-2015-3170 (selinux-policy when sysctl fs.protected_hardlinks are set to 0 allows ...)
NOT-FOR-US: Red Hat specific issue with selinux-policy rpm package
CVE-2015-3169 [XSS]
RESERVED
@@ -84459,8 +84478,7 @@
CVE-2015-1324
RESERVED
[experimental] - apport 2.17.3-1
-CVE-2015-1323 [information disclosure via simulate dbus method]
- RESERVED
+CVE-2015-1323 (The simulate dbus method in aptdaemon before 1.1.1+bzr982-0ubuntu3.1 ...)
{DLA-261-1}
- aptdaemon 1.1.1+bzr982-1 (bug #789162)
[jessie] - aptdaemon 1.1.1-4+deb8u1
@@ -135985,7 +136003,7 @@
CVE-2012-5638 (The setup_logging function in log.h in SANLock uses world-writable ...)
- sanlock 2.2-2 (bug #696424)
CVE-2012-5637
- RESERVED
+ REJECTED
CVE-2012-5636
RESERVED
CVE-2012-5635 (The GlusterFS functionality in Red Hat Storage Management Console 2.0, ...)
@@ -141639,7 +141657,7 @@
CVE-2012-3551 (Cross-site scripting (XSS) vulnerability in ...)
NOT-FOR-US: Crowbar
CVE-2012-3550
- RESERVED
+ REJECTED
CVE-2012-3549 (The SCTP implementation in FreeBSD 8.2 allows remote attackers to ...)
- kfreebsd-8 8.3-5 (bug #686961)
[squeeze] - kfreebsd-8 <no-dsa> (Minor issue)
@@ -144736,7 +144754,7 @@
- linux-2.6 3.2.17-1
[squeeze] - linux-2.6 <not-affected> (Vulnerable code not present)
CVE-2012-2382
- RESERVED
+ REJECTED
CVE-2012-2381 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Roller ...)
NOT-FOR-US: Apache Roller
CVE-2012-2380 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
@@ -144920,7 +144938,7 @@
CVE-2012-2324 (Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) ...)
NOT-FOR-US: MyBB
CVE-2012-2323
- RESERVED
+ REJECTED
CVE-2012-2322 (Integer overflow in the dhcpv6_get_option function in gdhcp/client.c ...)
- connman 1.0-1 (bug #672989)
[squeeze] - connman <not-affected> (Vulnerable code not present)
@@ -152614,10 +152632,10 @@
CVE-2011-4367 (Multiple directory traversal vulnerabilities in MyFaces JavaServer ...)
- mojarra <not-affected> (The Debian package only ships some API classes)
CVE-2011-4366
- RESERVED
+ REJECTED
NOT-FOR-US: ** REJECT ** duplicate of CVE-2011-4090
CVE-2011-4365
- RESERVED
+ REJECTED
NOTE: duplicate of CVE-2011-4090
CVE-2011-4364 (Buffer overflow in the Sierra VMD decoder in libavcodec in FFmpeg ...)
{DSA-2378-1}
@@ -162829,7 +162847,7 @@
NOTE: Python 2.7 and 3.1 are fixed
NOTE: http://bugs.python.org/issue2254
CVE-2011-1014
- RESERVED
+ REJECTED
CVE-2011-1013 (Integer signedness error in the drm_modeset_ctl function in (1) ...)
- linux-2.6 2.6.38-1
[wheezy] - linux-2.6 2.6.32-31
@@ -170274,7 +170292,7 @@
{DSA-2109-1}
- samba 2:3.5.5~dfsg-1 (bug #596891)
CVE-2010-3068
- RESERVED
+ REJECTED
CVE-2010-3067 (Integer overflow in the do_io_submit function in fs/aio.c in the Linux ...)
{DSA-2126-1}
- linux-2.6 2.6.32-24
More information about the Secure-testing-commits
mailing list