[Secure-testing-commits] r49491 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Tue Mar 7 21:10:12 UTC 2017
Author: sectracker
Date: 2017-03-07 21:10:12 +0000 (Tue, 07 Mar 2017)
New Revision: 49491
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-03-07 19:58:23 UTC (rev 49490)
+++ data/CVE/list 2017-03-07 21:10:12 UTC (rev 49491)
@@ -1,3 +1,11 @@
+CVE-2017-6511 (andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in ...)
+ TODO: check
+CVE-2017-6510
+ RESERVED
+CVE-2017-6509 (Smith0r/burgundy-cms before 2017-03-06 is vulnerable to a reflected XSS ...)
+ TODO: check
+CVE-2017-6507
+ RESERVED
CVE-2017-XXXX [Cross-site scripting (XSS) via media file metadata]
- wordpress 4.7.3+dfsg-1 (bug #857026)
NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
@@ -27,7 +35,7 @@
[wheezy] - wordpress <not-affected> (Only affects 4.2 and later)
NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
NOTE: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
-CVE-2017-6508 [CRLF injection in the url_parse function in url.c]
+CVE-2017-6508 (CRLF injection vulnerability in the url_parse function in url.c in Wget ...)
- wget <unfixed> (bug #857073)
NOTE: http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
@@ -103,7 +111,8 @@
NOT-FOR-US: INTER-Mediator
CVE-2017-6483 (Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor ...)
NOT-FOR-US: ATutor
-CVE-2017-6482 (Multiple Cross-Site Scripting (XSS) issues were discovered in OpenEMR ...)
+CVE-2017-6482
+ REJECTED
NOT-FOR-US: OpenEMR
CVE-2017-6481 (Multiple Cross-Site Scripting (XSS) issues were discovered in phpipam ...)
NOT-FOR-US: phpipam
@@ -470,7 +479,7 @@
NOT-FOR-US: WPO-Foundation WebPageTest
CVE-2017-6395 (An issue was discovered in HashOver 2.0. The vulnerability exists due ...)
NOT-FOR-US: HashOveer
-CVE-2017-6394 (An issue was discovered in OpenEMR 5.0.1-dev. The vulnerability exists ...)
+CVE-2017-6394 (Multiple Cross-Site Scripting (XSS) issues were discovered in OpenEMR ...)
NOT-FOR-US: OpenEMR
CVE-2017-6393 (An issue was discovered in NagVis 1.9b12. The vulnerability exists due ...)
- nagvis <not-affected> (Vulnerable code introduced in nagvis-1.8.0)
@@ -1497,8 +1506,8 @@
- xbmc <undetermined>
NOTE: http://seclists.org/fulldisclosure/2017/Feb/27
NOTE: http://trac.kodi.tv/ticket/17314
-CVE-2017-5681
- RESERVED
+CVE-2017-5681 (The RSA-CRT implementation in the Intel QuickAssist Technology (QAT) ...)
+ TODO: check
CVE-2017-6056 (It was discovered that a programming error in the processing of HTTPS ...)
{DSA-3788-1 DSA-3787-1 DLA-823-1}
- tomcat8 8.0.21-2 (bug #851304)
@@ -7067,8 +7076,7 @@
RESERVED
CVE-2016-10041 (An issue was discovered in Sprecher Automation SPRECON-E Service ...)
NOT-FOR-US: Sprecher Automation SPRECON-E Service
-CVE-2016-10040
- RESERVED
+CVE-2016-10040 (Stack-based buffer overflow in QXmlSimpleReader in Qt 4.8.5 allows ...)
- qt4-x11 <unfixed> (bug #851058)
[jessie] - qt4-x11 <no-dsa> (Minor issue)
[wheezy] - qt4-x11 <no-dsa> (Minor issue)
@@ -9414,8 +9422,7 @@
RESERVED
CVE-2017-3160
RESERVED
-CVE-2017-3159
- RESERVED
+CVE-2017-3159 (Apache Camel's camel-snakeyaml component is vulnerable to Java object ...)
NOT-FOR-US: Apache Camel
CVE-2017-3158
RESERVED
@@ -13905,8 +13912,8 @@
RESERVED
CVE-2017-1134
RESERVED
-CVE-2017-1133
- RESERVED
+CVE-2017-1133 (IBM QRadar 7.2 is vulnerable to cross-site scripting. This ...)
+ TODO: check
CVE-2017-1132
RESERVED
CVE-2017-1131
@@ -13923,8 +13930,8 @@
RESERVED
CVE-2017-1125
RESERVED
-CVE-2017-1124
- RESERVED
+CVE-2017-1124 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a local ...)
+ TODO: check
CVE-2017-1123
RESERVED
CVE-2017-1122
@@ -14444,8 +14451,8 @@
RESERVED
CVE-2016-9741
RESERVED
-CVE-2016-9740
- RESERVED
+CVE-2016-9740 (IBM QRadar 7.2 could allow a remote attacker to consume all resources ...)
+ TODO: check
CVE-2016-9739 (IBM Security Identity Manager Virtual Appliance stores user ...)
NOT-FOR-US: IBM
CVE-2016-9738
@@ -14464,28 +14471,28 @@
RESERVED
CVE-2016-9731 (IBM Business Process Manager is vulnerable to cross-site scripting. ...)
NOT-FOR-US: IBM
-CVE-2016-9730
- RESERVED
-CVE-2016-9729
- RESERVED
-CVE-2016-9728
- RESERVED
-CVE-2016-9727
- RESERVED
-CVE-2016-9726
- RESERVED
-CVE-2016-9725
- RESERVED
-CVE-2016-9724
- RESERVED
-CVE-2016-9723
- RESERVED
+CVE-2016-9730 (IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request ...)
+ TODO: check
+CVE-2016-9729 (IBM QRadar 7.2 does not perform an authentication check for a critical ...)
+ TODO: check
+CVE-2016-9728 (IBM Qradar 7.2 is vulnerable to SQL injection. A remote attacker could ...)
+ TODO: check
+CVE-2016-9727 (IBM QRadar 7.2 could allow a remote authenticated attacker to execute ...)
+ TODO: check
+CVE-2016-9726 (IBM QRadar Incident Forensics 7.2 could allow a remote authenticated ...)
+ TODO: check
+CVE-2016-9725 (IBM QRadar Incident Forensics 7.2 allows for Cross-Origin Resource ...)
+ TODO: check
+CVE-2016-9724 (IBM QRadar 7.2 is vulnerable to a denial of service, caused by an XML ...)
+ TODO: check
+CVE-2016-9723 (IBM QRadar 7.2 is vulnerable to cross-site scripting. This ...)
+ TODO: check
CVE-2016-9722
RESERVED
CVE-2016-9721
RESERVED
-CVE-2016-9720
- RESERVED
+CVE-2016-9720 (IBM QRadar 7.2 discloses sensitive information to unauthorized users. ...)
+ TODO: check
CVE-2016-9719
RESERVED
CVE-2016-9718
@@ -14538,8 +14545,8 @@
RESERVED
CVE-2016-9694
RESERVED
-CVE-2016-9693
- RESERVED
+CVE-2016-9693 (IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download ...)
+ TODO: check
CVE-2016-9692
RESERVED
CVE-2016-9691
@@ -15821,8 +15828,7 @@
{DSA-3760-1 DLA-812-1}
- ikiwiki 3.20161229
NOTE: https://ikiwiki.info/security/#cve-2016-9646
-CVE-2016-9643
- RESERVED
+CVE-2016-9643 (The regex code in Webkit 2.4.11 allows remote attackers to cause a ...)
- webkitgtk <unfixed> (unimportant)
NOTE: Not covered by security support
NOTE: http://www.openwall.com/lists/oss-security/2016/11/26/2
@@ -16162,8 +16168,7 @@
- openjpeg2 2.1.2-1.1 (bug #851422)
NOTE: https://github.com/uclouvain/openjpeg/issues/863
NOTE: https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d
-CVE-2016-9571
- RESERVED
+CVE-2016-9571 (Apache Camel's camel-jackson and camel-jacksonxml components are ...)
- resteasy <unfixed> (bug #851430)
[jessie] - resteasy <no-dsa> (Minor issue)
CVE-2016-9570
@@ -17781,8 +17786,8 @@
RESERVED
CVE-2016-9165
RESERVED
-CVE-2016-9164
- RESERVED
+CVE-2016-9164 (Directory traversal vulnerability in diag.jsp file in CA Unified ...)
+ TODO: check
CVE-2016-9163
RESERVED
CVE-2016-9162
@@ -17815,8 +17820,8 @@
NOT-FOR-US: PAN-OS
CVE-2016-9149 (The Addresses Object parser in Palo Alto Networks PAN-OS before ...)
NOT-FOR-US: PAN-OS
-CVE-2016-9148
- RESERVED
+CVE-2016-9148 (Cross-site scripting (XSS) vulnerability in CA Service Desk Manager ...)
+ TODO: check
CVE-2016-9147 (named in ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 allows ...)
{DSA-3758-1 DLA-805-1}
[experimental] - bind9 1:9.10.4-P5-1
@@ -18082,8 +18087,7 @@
NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=2634ab7fe29b3f75d0865b719caf8f310d634aae (v2.8.0-rc0)
CVE-2016-9088
RESERVED
-CVE-2016-9087
- RESERVED
+CVE-2016-9087 (SQL injection vulnerability in ...)
NOT-FOR-US: Exponent CMS
CVE-2016-9086 (GitLab versions 8.9.x and above contain a critical security flaw in the ...)
- gitlab 8.13.3+dfsg1-2 (bug #843519)
@@ -18300,11 +18304,9 @@
RESERVED
CVE-2016-9021
RESERVED
-CVE-2016-9020
- RESERVED
+CVE-2016-9020 (SQL injection vulnerability in ...)
NOT-FOR-US: Exponent CMS
-CVE-2016-9019
- RESERVED
+CVE-2016-9019 (SQL injection vulnerability in the activate_address function in ...)
NOT-FOR-US: Exponent CMS
CVE-2016-9018 (Improper handling of a repeating VRAT chunk in qcpfformat.dll allows ...)
NOT-FOR-US: RealPlayer
@@ -18404,8 +18406,8 @@
RESERVED
CVE-2016-8972 (IBM AIX 6.1, 7.1, and 7.2 could allow a local user to gain root ...)
NOT-FOR-US: IBM
-CVE-2016-8971
- RESERVED
+CVE-2016-8971 (IBM WebSphere MQ 8.0 could allow an authenticated user with queue ...)
+ TODO: check
CVE-2016-8970
RESERVED
CVE-2016-8969
@@ -18466,8 +18468,8 @@
NOT-FOR-US: IBM
CVE-2016-8941 (IBM Tivoli Storage Productivity Center is vulnerable to cross-site ...)
NOT-FOR-US: IBM
-CVE-2016-8940
- RESERVED
+CVE-2016-8940 (IBM Tivoli Storage Manager (IBM Spectrum Protect) 6.1, 6.2, 6.3, and ...)
+ TODO: check
CVE-2016-8939
RESERVED
CVE-2016-8938 (IBM UrbanCode Deploy could allow a user to execute code using a ...)
@@ -18624,8 +18626,7 @@
- bind9 1:9.10.3.dfsg.P4-11 (bug #842858)
NOTE: https://kb.isc.org/article/AA-01434
NOTE: upstream fix https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=8bd0c12d53bea6f299e92d20ee0a23b16a7f65bc
-CVE-2016-8863 [Buffer overflow in create_url_list]
- RESERVED
+CVE-2016-8863 (Heap-based buffer overflow in the create_url_list function in ...)
{DSA-3736-1 DLA-748-1 DLA-747-1}
- libupnp 1:1.6.19+git20160116-1.2 (bug #842093)
- libupnp4 <removed>
@@ -22437,11 +22438,9 @@
NOT-FOR-US: Exponent CMS
CVE-2016-7790 (Exponent CMS 2.3.9 suffers from a remote code execution vulnerability ...)
NOT-FOR-US: Exponent CMS
-CVE-2016-7789
- RESERVED
+CVE-2016-7789 (SQL injection vulnerability in framework/core/models/expConfig.php in ...)
NOT-FOR-US: Exponent CMS
-CVE-2016-7788
- RESERVED
+CVE-2016-7788 (SQL injection vulnerability in ramework/modules/users/models/user.php ...)
NOT-FOR-US: Exponent CMS
CVE-2016-7787 (A maliciously crafted command line for kdesu can result in the user ...)
- kde-cli-tools 4:5.8.0-1 (bug #839865)
@@ -22462,20 +22461,15 @@
CVE-2016-7785 (The avi_read_seek function in libavformat/avidec.c in FFmpeg before ...)
- ffmpeg 7:3.1.4-1 (bug #840434)
NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c8c5f66b42edc37474baa5cb51460cbf6f33075b (n3.1.4)
-CVE-2016-7784
- RESERVED
+CVE-2016-7784 (SQL injection vulnerability in the getSection function in ...)
NOT-FOR-US: Exponent CMS
-CVE-2016-7783
- RESERVED
+CVE-2016-7783 (SQL injection vulnerability in framework/core/models/expRecord.php in ...)
NOT-FOR-US: Exponent CMS
-CVE-2016-7782
- RESERVED
+CVE-2016-7782 (SQL injection vulnerability in framework/core/models/expConfig.php in ...)
NOT-FOR-US: Exponent CMS
-CVE-2016-7781
- RESERVED
+CVE-2016-7781 (SQL injection vulnerability in ...)
NOT-FOR-US: Exponent CMS
-CVE-2016-7780
- RESERVED
+CVE-2016-7780 (SQL injection vulnerability in cron/find_help.php in Exponent CMS ...)
NOT-FOR-US: Exponent CMS
CVE-2016-7779
RESERVED
@@ -24094,23 +24088,17 @@
NOTE: Upstream patches: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg04296.html
NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/4
NOTE: Vulnerable code introduced after version 2.6: http://wiki.qemu.org/ChangeLog/2.6
-CVE-2016-7140
- RESERVED
+CVE-2016-7140 (Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in ...)
NOT-FOR-US: Plone
-CVE-2016-7139
- RESERVED
+CVE-2016-7139 (Cross-site scripting (XSS) vulnerability in an unspecified page ...)
NOT-FOR-US: Plone
-CVE-2016-7138
- RESERVED
+CVE-2016-7138 (Cross-site scripting (XSS) vulnerability in the URL checking ...)
NOT-FOR-US: Plone
-CVE-2016-7137
- RESERVED
+CVE-2016-7137 (Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, ...)
NOT-FOR-US: Plone
-CVE-2016-7136
- RESERVED
+CVE-2016-7136 (z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows ...)
NOT-FOR-US: Plone
-CVE-2016-7135
- RESERVED
+CVE-2016-7135 (Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and ...)
NOT-FOR-US: Plone
CVE-2016-7141 (curl and libcurl before 7.50.2, when built with NSS and the ...)
{DLA-616-1}
@@ -24119,8 +24107,7 @@
NOTE: Only affects libcurl3-nss
NOTE: http://seclists.org/oss-sec/2016/q3/419
NOTE: https://curl.haxx.se/docs/adv_20160907.html
-CVE-2016-7145 [certificate fingerprint spoofing through crafted SASL messages]
- RESERVED
+CVE-2016-7145 (The m_authenticate function in ircd/m_authenticate.c in nefarious2 ...)
NOT-FOR-US: Nefarious 2
CVE-2016-7144 (The m_authenticate function in modules/m_sasl.c in UnrealIRCd before ...)
- unrealircd <itp> (bug #515130)
@@ -26307,8 +26294,7 @@
CVE-2016-6523 (Multiple cross-site scripting (XSS) vulnerabilities in the media ...)
- dotclear <removed>
NOTE: Fixed by: https://hg.dotclear.org/dotclear/rev/40d0207e520d
-CVE-2016-6522
- RESERVED
+CVE-2016-6522 (Integer overflow in the uvm_map_isavail function in uvm/uvm_map.c in ...)
NOT-FOR-US: OpenBSD
CVE-2016-6521 (Cross-site request forgery (CSRF) vulnerability in Grails console (aka ...)
- grails <itp> (bug #473213)
@@ -26971,8 +26957,7 @@
NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=cc96677469388bad3d66479379735cf75db069e3 (v2.7.0-rc0)
NOTE: http://www.openwall.com/lists/oss-security/2016/07/25/14
NOTE: According to maintainer the fix relies on the fix for CVE-2016-4439
-CVE-2016-6350
- RESERVED
+CVE-2016-6350 (OpenBSD 5.8 and 5.9 allows local users to cause a denial of service ...)
NOT-FOR-US: OpenBSD
CVE-2016-6349 [information exposure for docker containers]
RESERVED
@@ -27416,32 +27401,23 @@
RESERVED
CVE-2016-1000028
RESERVED
-CVE-2016-6247
- RESERVED
+CVE-2016-6247 (OpenBSD 5.8 and 5.9 allows certain local users to cause a denial of ...)
NOT-FOR-US: OpenBSD kernel
-CVE-2016-6246
- RESERVED
+CVE-2016-6246 (OpenBSD 5.8 and 5.9 allows certain local users with kern.usermount ...)
NOT-FOR-US: OpenBSD kernel
-CVE-2016-6245
- RESERVED
+CVE-2016-6245 (OpenBSD 5.8 and 5.9 allows local users to cause a denial of service ...)
NOT-FOR-US: OpenBSD kernel
-CVE-2016-6244
- RESERVED
+CVE-2016-6244 (The sys_thrsigdivert function in kern/kern_sig.c in the OpenBSD kernel ...)
NOT-FOR-US: OpenBSD kernel
-CVE-2016-6243
- RESERVED
+CVE-2016-6243 (thrsleep in kern/kern_synch.c in OpenBSD 5.8 and 5.9 allows local ...)
NOT-FOR-US: OpenBSD kernel
-CVE-2016-6242
- RESERVED
+CVE-2016-6242 (OpenBSD 5.8 and 5.9 allows local users to cause a denial of service ...)
NOT-FOR-US: OpenBSD kernel
-CVE-2016-6241
- RESERVED
+CVE-2016-6241 (Integer overflow in the amap_alloc1 function in OpenBSD 5.8 and 5.9 ...)
NOT-FOR-US: OpenBSD kernel
-CVE-2016-6240
- RESERVED
+CVE-2016-6240 (Integer truncation error in the amap_alloc function in OpenBSD 5.8 and ...)
NOT-FOR-US: OpenBSD kernel
-CVE-2016-6239
- RESERVED
+CVE-2016-6239 (The mmap extension __MAP_NOFAULT in OpenBSD 5.8 and 5.9 allows ...)
NOT-FOR-US: OpenBSD kernel
CVE-2016-6238 (The write_ujpg function in lepton/jpgcoder.cc in Dropbox lepton 1.0 ...)
- lepton 1.2.1-1 (bug #831814)
@@ -27514,8 +27490,7 @@
- libspring-java 4.2.7-1 (unimportant)
NOTE: https://www.tenable.com/security/research/tra-2016-20
NOTE: This is not a vulnerability in Spring itself, just how applications are using it
-CVE-2016-6255 [write files via POST]
- RESERVED
+CVE-2016-6255 (Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers ...)
{DSA-3736-1 DLA-597-1}
- libupnp 1:1.6.19+git20160116-1.1 (bug #831857)
NOTE: https://twitter.com/mjg59/status/755062278513319936
@@ -30331,8 +30306,7 @@
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2556
NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=656
NOTE: Upstream marked this duplicate of bug http://bugzilla.maptools.org/show_bug.cgi?id=2554
-CVE-2016-5315 [tif_dir.c: setByteArray() Read access violation]
- RESERVED
+CVE-2016-5315 (The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier ...)
{DSA-3762-1 DLA-610-1 DLA-606-1}
- tiff 4.0.6-2 (bug #830700)
- tiff3 <removed>
@@ -32346,16 +32320,16 @@
- qemu-kvm <not-affected> (LSI SAS1068 (mptsas) device support added later)
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04027.html
NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=e351b82611293683c4cabe4b69b7552bde5d4e2a (v2.6.0-rc0)
-CVE-2016-4950
- RESERVED
-CVE-2016-4949
- RESERVED
-CVE-2016-4948
- RESERVED
-CVE-2016-4947
- RESERVED
-CVE-2016-4946
- RESERVED
+CVE-2016-4950 (Cloudera Manager 5.5 and earlier allows remote attackers to enumerate ...)
+ TODO: check
+CVE-2016-4949 (Cloudera Manager 5.5 and earlier allows remote attackers to obtain ...)
+ TODO: check
+CVE-2016-4948 (Multiple cross-site scripting (XSS) vulnerabilities in Cloudera ...)
+ TODO: check
+CVE-2016-4947 (Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate ...)
+ TODO: check
+CVE-2016-4946 (Multiple cross-site scripting (XSS) vulnerabilities in Cloudera HUE ...)
+ TODO: check
CVE-2016-4945 (Cross-site scripting (XSS) vulnerability in ...)
NOT-FOR-US: Citrix NetScaler Gateway
CVE-2015-8880 (Double free vulnerability in the format printer in PHP 7.x before ...)
@@ -103029,8 +103003,7 @@
NOT-FOR-US: fog-dragonfly Ruby Gem
CVE-2013-5670 (Cross-site scripting (XSS) vulnerability in spell-check-savedicts.php ...)
- serendipity <not-affected> (Spellcheck plugin not included in 1.5.x)
-CVE-2013-5653 [Ghostscript information disclosure through getenv, filenameforall]
- RESERVED
+CVE-2013-5653 (The getenv and filenameforall functions in Ghostscript 9.10 ignore the ...)
{DSA-3691-1 DLA-674-1}
- ghostscript 9.19~dfsg-3.1 (low; bug #839118)
NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=694724
More information about the Secure-testing-commits
mailing list