[Secure-testing-commits] r52428 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Thu Jun 8 21:10:13 UTC 2017
Author: sectracker
Date: 2017-06-08 21:10:13 +0000 (Thu, 08 Jun 2017)
New Revision: 52428
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-06-08 19:40:27 UTC (rev 52427)
+++ data/CVE/list 2017-06-08 21:10:13 UTC (rev 52428)
@@ -1,3 +1,13 @@
+CVE-2017-9520 (The r_config_set function in libr/config/config.c in radare2 1.5.0 ...)
+ TODO: check
+CVE-2017-9519 (atmail before 7.8.0.2 has CSRF, allowing an attacker to create a user ...)
+ TODO: check
+CVE-2017-9518 (atmail before 7.8.0.2 has CSRF, allowing an attacker to change the SMTP ...)
+ TODO: check
+CVE-2017-9517 (atmail before 7.8.0.2 has CSRF, allowing an attacker to upload and ...)
+ TODO: check
+CVE-2017-9516 (Craft CMS before 2.6.2982 allows for a potential XSS attack vector by ...)
+ TODO: check
CVE-2017-9515
RESERVED
CVE-2017-9514
@@ -516,8 +526,7 @@
[wheezy] - chicken <no-dsa> (Minor issue)
NOTE: Original announcement: http://lists.nongnu.org/archive/html/chicken-announce/2017-05/msg00000.html
NOTE: Patch: http://lists.nongnu.org/archive/html/chicken-hackers/2017-05/msg00099.html
-CVE-2017-9330 [usb: ohci: infinite loop due to incorrect return value]
- RESERVED
+CVE-2017-9330 (QEMU (aka Quick Emulator), when built with the USB OHCI Emulation ...)
- qemu <unfixed> (bug #863943)
[stretch] - qemu <no-dsa> (Minor issue)
[jessie] - qemu <no-dsa> (Minor issue)
@@ -710,8 +719,7 @@
NOTE: https://www.sudo.ws/alerts/linux_tty.html
NOTE: http://www.openwall.com/lists/oss-security/2017/05/30/16
NOTE: https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b
-CVE-2017-9310 [net: infinite loop in e1000e NIC emulation]
- RESERVED
+CVE-2017-9310 (QEMU (aka Quick Emulator), when built with the e1000e NIC emulation ...)
- qemu <unfixed> (bug #863840)
[stretch] - qemu <no-dsa> (Minor issue)
[jessie] - qemu <no-dsa> (Minor issue)
@@ -1585,13 +1593,11 @@
NOTE: https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
CVE-2017-9024 (Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes ...)
NOT-FOR-US: Secure Bytes Cisco Configuration Manager
-CVE-2017-9023
- RESERVED
+CVE-2017-9023 (The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE ...)
{DSA-3866-1 DLA-973-1}
- strongswan 5.5.1-4
NOTE: upstream fix https://git.strongswan.org/?p=strongswan.git;a=commit;h=407fcca200fdf6a41a04ac0885a770b6b53c5d23
-CVE-2017-9022
- RESERVED
+CVE-2017-9022 (The gmp plugin in strongSwan before 5.5.3 does not properly validate ...)
{DSA-3866-1 DLA-973-1}
- strongswan 5.5.1-4
NOTE: upstream fix https://git.strongswan.org/?p=strongswan.git;a=commit;h=6681d98d18d24b31410fc12c3d61f150107481b3
@@ -3848,8 +3854,8 @@
NOTE: https://github.com/saltstack/salt/issues/40075
NOTE: https://github.com/saltstack/salt/pull/40609
NOTE: https://github.com/saltstack/salt/commit/8492cef7a5c8871a3978ffc2f6e48b3b960e0151
-CVE-2017-8108
- RESERVED
+CVE-2017-8108 (Unspecified tests in Lynis before 2.5.0 allow local users to write to ...)
+ TODO: check
CVE-2017-8107
RESERVED
CVE-2017-8106 (The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel ...)
@@ -6887,8 +6893,8 @@
RESERVED
CVE-2017-7181
RESERVED
-CVE-2017-7180
- RESERVED
+CVE-2017-7180 (Net Monitor for Employees Pro through 5.3.4 has an unquoted service ...)
+ TODO: check
CVE-2017-7179
RESERVED
CVE-2016-10253 (An issue was discovered in Erlang/OTP 18.x. Erlang's generation of ...)
@@ -8114,8 +8120,8 @@
NOT-FOR-US: Cisco
CVE-2017-6649 (A vulnerability in the CLI of Cisco NX-OS System Software 7.1 through ...)
NOT-FOR-US: Cisco
-CVE-2017-6648
- RESERVED
+CVE-2017-6648 (A vulnerability in the Session Initiation Protocol (SIP) of the Cisco ...)
+ TODO: check
CVE-2017-6647 (A vulnerability in the web interface of Cisco Remote Expert Manager ...)
NOT-FOR-US: Cisco
CVE-2017-6646 (A vulnerability in the web interface of Cisco Remote Expert Manager ...)
@@ -8130,12 +8136,12 @@
NOT-FOR-US: Cisco
CVE-2017-6641 (A vulnerability in the TCP connection handling functionality of Cisco ...)
NOT-FOR-US: Cisco
-CVE-2017-6640
- RESERVED
-CVE-2017-6639
- RESERVED
-CVE-2017-6638
- RESERVED
+CVE-2017-6640 (A vulnerability in Cisco Prime Data Center Network Manager (DCNM) ...)
+ TODO: check
+CVE-2017-6639 (A vulnerability in the role-based access control (RBAC) functionality ...)
+ TODO: check
+CVE-2017-6638 (A vulnerability in how DLL files are loaded with Cisco AnyConnect ...)
+ TODO: check
CVE-2017-6637 (A vulnerability in the web interface of Cisco Prime Collaboration ...)
NOT-FOR-US: Cisco
CVE-2017-6636 (A vulnerability in the web interface of Cisco Prime Collaboration ...)
@@ -10487,8 +10493,8 @@
NOT-FOR-US: Splunk
CVE-2017-5879 (An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL ...)
NOT-FOR-US: Exponent CMS
-CVE-2017-5878
- RESERVED
+CVE-2017-5878 (The AMF unmarshallers in Red5 Media Server before 1.0.8 do not ...)
+ TODO: check
CVE-2016-10207 (The Xvnc server in TigerVNC allows remote attackers to cause a denial ...)
- tigervnc 1.7.0-1
NOTE: https://github.com/TigerVNC/tigervnc/commit/8aa4bc53206c2430bbf0c8f4b642f59a379ee649
@@ -14075,8 +14081,8 @@
RESERVED
CVE-2017-4919
RESERVED
-CVE-2017-4918
- RESERVED
+CVE-2017-4918 (VMware Horizon View Client (2.x, 3.x and 4.x prior to 4.5.0) contains ...)
+ TODO: check
CVE-2017-4917 (VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x ...)
NOT-FOR-US: VMware
CVE-2017-4916 (VMware Workstation Pro/Player contains a NULL pointer dereference ...)
@@ -14085,20 +14091,20 @@
NOT-FOR-US: VMware
CVE-2017-4914 (VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x ...)
NOT-FOR-US: VMware
-CVE-2017-4913
- RESERVED
-CVE-2017-4912
- RESERVED
-CVE-2017-4911
- RESERVED
-CVE-2017-4910
- RESERVED
-CVE-2017-4909
- RESERVED
-CVE-2017-4908
- RESERVED
-CVE-2017-4907
- RESERVED
+CVE-2017-4913 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...)
+ TODO: check
+CVE-2017-4912 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...)
+ TODO: check
+CVE-2017-4911 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...)
+ TODO: check
+CVE-2017-4910 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...)
+ TODO: check
+CVE-2017-4909 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...)
+ TODO: check
+CVE-2017-4908 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...)
+ TODO: check
+CVE-2017-4907 (VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and ...)
+ TODO: check
CVE-2017-4906
RESERVED
CVE-2017-4905 (VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without ...)
@@ -14109,8 +14115,8 @@
NOT-FOR-US: VMware
CVE-2017-4902 (VMware ESXi 6.5 without patch ESXi650-201703410-SG and 5.5 without ...)
NOT-FOR-US: VMware
-CVE-2017-4901
- RESERVED
+CVE-2017-4901 (The drag-and-drop (DnD) function in VMware Workstation 12.x before ...)
+ TODO: check
CVE-2017-4900 (VMware Workstation Pro/Player 12.x before 12.5.3 contains a NULL ...)
NOT-FOR-US: VMware
CVE-2017-4899 (VMware Workstation Pro/Player 12.x before 12.5.3 contains a security ...)
@@ -34026,8 +34032,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1378673#c7
NOTE: https://github.com/FasterXML/jackson-dataformat-xml/issues/211
NOTE: https://github.com/FasterXML/jackson-dataformat-xml/commit/eeff2c312e9d4caa8c9f27b8f740c7529d00524a (2.7.8)
-CVE-2016-7050
- RESERVED
+CVE-2016-7050 (SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop ...)
- resteasy 3.0.18-1
[jessie] - resteasy <no-dsa> (Minor issue)
NOTE: The SerializableProvider has been disabled by default in 3.0.17
@@ -35573,8 +35578,8 @@
NOTE: https://www.pallas.com/advisories/sophos_eas_open_reverse_proxy_vulnerability
CVE-2016-6596
RESERVED
-CVE-2016-6594
- RESERVED
+CVE-2016-6594 (Blue Coat Advanced Secure Gateway 6.6, CacheFlow 3.4, ProxySG 6.5 and ...)
+ TODO: check
CVE-2016-6593
RESERVED
NOT-FOR-US: Symantec VIP Access
@@ -38664,8 +38669,7 @@
NOT-FOR-US: ZModo
CVE-2016-5649
RESERVED
-CVE-2016-5648
- RESERVED
+CVE-2016-5648 (Acer Portal app before 3.9.4.2000 for Android does not properly ...)
NOT-FOR-US: Acer Portal Android application
CVE-2016-5647 (The igdkmd64 module in the Intel Graphics Driver through 15.33.42.435, ...)
NOT-FOR-US: Intel Windows drivers
@@ -39389,8 +39393,7 @@
NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2212c1420c92a33b0e0bd9a34938c9814a56c0f7 (glibc-2.22)
NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5e7fdabd7df1fc6c56d104e61390bf5a6b526c38 (glibc-2.24)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19257
-CVE-2016-5416 [ACI readable by anonymous user]
- RESERVED
+CVE-2016-5416 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, ...)
- 389-ds-base <unfixed> (bug #834233)
NOTE: https://fedorahosted.org/389/ticket/48852
NOTE: Potentially related: https://fedorahosted.org/389/ticket/48354
@@ -39430,8 +39433,7 @@
NOTE: https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17
CVE-2016-5406 (The domain controller in Red Hat JBoss Enterprise Application Platform ...)
NOT-FOR-US: JBoss EAP
-CVE-2016-5405 [Password verification vulnerable to timing attack]
- RESERVED
+CVE-2016-5405 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, ...)
- 389-ds-base 1.3.5.15-1 (bug #842121)
CVE-2016-5404 (The cert_revoke command in FreeIPA does not check for the "revoke ...)
- freeipa 4.3.2-5 (bug #835131)
@@ -41418,8 +41420,7 @@
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=767873
CVE-2016-4993 (CRLF injection vulnerability in the Undertow web server in WildFly ...)
NOT-FOR-US: JBoss Enterprise Application Platform
-CVE-2016-4992 [Information disclosure via repeated use of LDAP ADD operation]
- RESERVED
+CVE-2016-4992 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, ...)
- 389-ds-base 1.3.5.13-1
[jessie] - 389-ds-base <no-dsa> (Minor issue)
NOTE: http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-5-13.html
@@ -43073,8 +43074,7 @@
- foreman <itp> (bug #663101)
CVE-2016-4474 (The image build process for the overcloud images in Red Hat OpenStack ...)
NOT-FOR-US: Red Hat OpenStack Overcloud image
-CVE-2016-4473
- RESERVED
+CVE-2016-4473 (/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers ...)
{DLA-628-1}
- php5 5.6.23+dfsg-1
[jessie] - php5 5.6.23+dfsg-0+deb8u1
@@ -43087,8 +43087,7 @@
{DSA-3582-1 DLA-483-1}
- expat 2.1.1-2
NOTE: https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/tree/expat/lib/xmlparse.c?diff=a238d7ea7a715ef3850c4cbdd86aeda7077b6bbc
-CVE-2016-4471
- RESERVED
+CVE-2016-4471 (ManageIQ in CloudForms before 4.1 allows remote authenticated users to ...)
NOT-FOR-US: Red Hat CloudForms
CVE-2016-4470 (The key_reject_and_link function in security/keys/key.c in the Linux ...)
{DSA-3607-1 DLA-609-1}
@@ -43121,8 +43120,7 @@
- libapache2-mod-cluster <itp> (bug #731410)
CVE-2016-4458
RESERVED
-CVE-2016-4457
- RESERVED
+CVE-2016-4457 (CloudForms Management Engine before 5.8 includes a default SSL/TLS ...)
NOT-FOR-US: Red Hat CloudForms
CVE-2016-4455 (The Subscription Manager package (aka subscription-manager) before ...)
NOT-FOR-US: Red Hat Subscription Manager
@@ -45307,8 +45305,7 @@
RESERVED
CVE-2016-3691 (Routes in Kallithea before 0.3.2 allows remote attackers to bypass the ...)
- kallithea <itp> (bug #689573)
-CVE-2016-3690
- RESERVED
+CVE-2016-3690 (The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote ...)
NOT-FOR-US: PooledInvokerServlet
CVE-2016-3941 (Buffer overflow in the AStreamPeekStream function in input/stream.c in ...)
- vlc 2.2.0-1
@@ -46737,21 +46734,17 @@
CVE-2016-3113
RESERVED
NOT-FOR-US: ovirt-engine
-CVE-2016-3112
- RESERVED
+CVE-2016-3112 (client/consumer/cli.py in Pulp before 2.8.3 writes consumer private ...)
NOT-FOR-US: Pulp (Red Hat)
-CVE-2016-3111
- RESERVED
+CVE-2016-3111 (pulp.spec in Pulp 2.8.3 allows local users to read generated RSA keys. ...)
NOT-FOR-US: Pulp (Red Hat)
CVE-2016-3110 (mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote ...)
- libapache2-mod-cluster <itp> (bug #731410)
CVE-2016-3109 (The backend/Login/load/ script in Shopware before 5.1.5 allows remote ...)
NOT-FOR-US: Shopware
-CVE-2016-3108
- RESERVED
+CVE-2016-3108 (The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows ...)
NOT-FOR-US: Pulp (Red Hat)
-CVE-2016-3107
- RESERVED
+CVE-2016-3107 (The Node certificate in Pulp before 2.8.3 contains the private key, ...)
NOT-FOR-US: Pulp (Red Hat)
CVE-2016-3106 (Pulp before 2.8.3 creates a temporary directory during CA key ...)
NOT-FOR-US: Pulp (Red Hat)
@@ -46781,8 +46774,7 @@
NOTE: https://bugs.kde.org/show_bug.cgi?id=363140
NOTE: https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd
NOTE: https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58
-CVE-2016-3099 [Invalid handling of +CIPHER operator]
- RESERVED
+CVE-2016-3099 (mod_ns in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux ...)
- libapache2-mod-nss 1.0.14-1 (bug #822461)
[jessie] - libapache2-mod-nss <not-affected> (Vulnerability introduced in 1.0.11)
[wheezy] - libapache2-mod-nss <not-affected> (Vulnerability introduced in 1.0.11)
@@ -46796,8 +46788,7 @@
[jessie] - ansible <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1322925
NOTE: https://sources.debian.net/src/ansible/2.0.1.0-1/lib/ansible/modules/extras/cloud/lxc/lxc_container.py/?hl=523#L523
-CVE-2016-3095
- RESERVED
+CVE-2016-3095 (server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows local ...)
NOT-FOR-US: Pulp (Red Hat)
CVE-2016-3094 (PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker ...)
NOT-FOR-US: Apache Qpid Java Broker
@@ -46813,8 +46804,8 @@
NOTE: Fixed by https://svn.apache.org/r1743480
NOTE: Upstream advisory http://markmail.org/message/oyxfv73jb2g7rjg3
NOTE: https://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
-CVE-2016-3091
- RESERVED
+CVE-2016-3091 (Cloud Foundry Diego 0.1468.0 through 0.1470.0 allows remote attackers ...)
+ TODO: check
CVE-2016-3090
RESERVED
CVE-2016-3089 (Cross-site scripting (XSS) vulnerability in the SWF panel in Apache ...)
@@ -50762,8 +50753,8 @@
NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html
CVE-2016-2035
REJECTED
-CVE-2016-2034
- RESERVED
+CVE-2016-2034 (SQL injection vulnerability in ClearPass Policy Manager 6.5.x through ...)
+ TODO: check
CVE-2016-2033
RESERVED
CVE-2016-2032
@@ -73821,8 +73812,8 @@
RESERVED
CVE-2015-2801
RESERVED
-CVE-2015-2800
- RESERVED
+CVE-2015-2800 (The user authentication module in Huawei Campus switches S5700, S5300, ...)
+ TODO: check
CVE-2015-2799
RESERVED
CVE-2015-2798
@@ -75681,16 +75672,16 @@
RESERVED
CVE-2015-2256
RESERVED
-CVE-2015-2255
- RESERVED
+CVE-2015-2255 (Huawei AR1220 routers with software before V200R005SPH006 allows ...)
+ TODO: check
CVE-2015-2254
RESERVED
-CVE-2015-2253
- RESERVED
-CVE-2015-2252
- RESERVED
-CVE-2015-2251
- RESERVED
+CVE-2015-2253 (The XML interface in Huawei OceanStor UDS devices with software before ...)
+ TODO: check
+CVE-2015-2252 (Huawei OceanStor UDS devices with software before V100R002C01SPC102 ...)
+ TODO: check
+CVE-2015-2251 (The DeviceManager in Huawei OceanStor UDS devices with software before ...)
+ TODO: check
CVE-2015-2250 (Multiple cross-site scripting (XSS) vulnerabilities in concrete5 ...)
NOT-FOR-US: concrete5
CVE-2015-2249
@@ -85246,8 +85237,8 @@
RESERVED
CVE-2014-8688 (An issue was discovered in Telegram Messenger 2.6 for iOS and 1.8.2 for ...)
NOT-FOR-US: Telegram Messenger
-CVE-2014-8687
- RESERVED
+CVE-2014-8687 (Seagate Business NAS devices with firmware before 2015.00322 allow ...)
+ TODO: check
CVE-2014-8686
RESERVED
CVE-2014-8685
@@ -87608,8 +87599,8 @@
NOT-FOR-US: Android MediaServer
CVE-2014-7920 (mediaserver in Android 2.2 through 5.x before 5.1 allows attackers to ...)
NOT-FOR-US: Android MediaServer
-CVE-2014-7919
- RESERVED
+CVE-2014-7919 (b/libs/gui/ISurfaceComposer.cpp in Android allows attackers to trigger ...)
+ TODO: check
CVE-2014-7918
RESERVED
CVE-2014-7917 (Integer overflow in SampleTable.cpp in libstagefright in Android ...)
@@ -92084,8 +92075,8 @@
REJECTED
CVE-2014-6032 (Multiple XML External Entity (XXE) vulnerabilities in the ...)
NOT-FOR-US: F5 Networks Big-IP
-CVE-2014-6031
- RESERVED
+CVE-2014-6031 (Buffer overflow in the mcpq daemon in F5 BIG-IP systems 10.x before ...)
+ TODO: check
CVE-2014-6030 (Multiple SQL injection vulnerabilities in ClassApps SelectSurvey.NET ...)
NOT-FOR-US: ClassApps SelectSurvey.NET
CVE-2014-6026
@@ -94908,8 +94899,8 @@
NOT-FOR-US: WordPress plugin
CVE-2014-4844 (The import/export functionality in IBM Business Process Manager (BPM) ...)
NOT-FOR-US: IBM
-CVE-2014-4843
- RESERVED
+CVE-2014-4843 (Curam Universal Access in IBM Curam Social Program Management (SPM) ...)
+ TODO: check
CVE-2014-4842
RESERVED
CVE-2014-4841
@@ -98494,8 +98485,7 @@
NOT-FOR-US: Apache Cordova
CVE-2014-3499 (Docker 1.0.0 uses world-readable and world-writable permissions on the ...)
- docker.io <not-affected> (RHEL specific, socket based activation not shipped)
-CVE-2014-3498
- RESERVED
+CVE-2014-3498 (The user module in ansible before 1.6.6 allows remote authenticated ...)
- ansible 1.7.0+dfsg-1
NOTE: https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5 (v1.7.0)
CVE-2014-3497 (Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 ...)
More information about the Secure-testing-commits
mailing list