[Secure-testing-commits] r51964 - data/CVE

security tracker role sectracker at moszumanska.debian.org
Thu May 25 21:10:13 UTC 2017 

Author: sectracker
Date: 2017-05-25 21:10:13 +0000 (Thu, 25 May 2017)
New Revision: 51964

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-05-25 18:20:19 UTC (rev 51963)
+++ data/CVE/list	2017-05-25 21:10:13 UTC (rev 51964)
@@ -522,18 +522,18 @@
 	[jessie] - binutils <no-dsa> (Minor issue)
 	[wheezy] - binutils <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
-CVE-2017-9037
-	RESERVED
-CVE-2017-9036
-	RESERVED
-CVE-2017-9035
-	RESERVED
-CVE-2017-9034
-	RESERVED
-CVE-2017-9033
-	RESERVED
-CVE-2017-9032
-	RESERVED
+CVE-2017-9037 (Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro ...)
+	TODO: check
+CVE-2017-9036 (Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows local ...)
+	TODO: check
+CVE-2017-9035 (Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows ...)
+	TODO: check
+CVE-2017-9034 (Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows ...)
+	TODO: check
+CVE-2017-9033 (Cross-site request forgery (CSRF) vulnerability in Trend Micro ...)
+	TODO: check
+CVE-2017-9032 (Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro ...)
+	TODO: check
 CVE-2017-9058 (In libytnef in ytnef through 1.9.2, there is a heap-based buffer ...)
 	- libytnef 1.9.2-2 (bug #862556)
 	NOTE: https://github.com/Yeraze/ytnef/issues/45
@@ -1941,7 +1941,7 @@
 CVE-2017-8423
 	RESERVED
 CVE-2017-8422 (KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to ...)
-	{DSA-3849-1}
+	{DSA-3849-1 DLA-952-1}
 	- kauth 5.28.0-2
 	- kde4libs 4:4.14.26-2
 	NOTE: http://www.openwall.com/lists/oss-security/2017/05/10/3
@@ -4801,8 +4801,8 @@
 	RESERVED
 CVE-2017-7440 (Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client desktop ...)
 	NOT-FOR-US: Kerio
-CVE-2017-7439
-	RESERVED
+CVE-2017-7439 (NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 might ...)
+	TODO: check
 CVE-2017-7438
 	RESERVED
 CVE-2017-7437
@@ -5635,8 +5635,8 @@
 	RESERVED
 CVE-2017-7237 (The Spiceworks TFTP Server, as distributed with Spiceworks Inventory ...)
 	NOT-FOR-US: Spiceworks
-CVE-2017-7236
-	RESERVED
+CVE-2017-7236 (SQL injection vulnerability in NetApp OnCommand Unified Manager Core ...)
+	TODO: check
 CVE-2016-10265
 	RESERVED
 CVE-2016-10264
@@ -7952,7 +7952,7 @@
 CVE-2017-6411 (Cross Site Request Forgery (CSRF) on D-Link DSL-2730U C1 IN_1.00 ...)
 	NOT-FOR-US: D-Link
 CVE-2017-6410 (kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls ...)
-	{DSA-3849-1}
+	{DSA-3849-1 DLA-952-1}
 	- kio 5.28.0-2 (bug #856889)
 	- kde4libs 4:4.14.26-2 (bug #856890)
 	NOTE: https://www.kde.org/info/security/advisory-20170228-1.txt
@@ -9529,8 +9529,7 @@
 	NOT-FOR-US: ViMbAdmin
 CVE-2017-5869 (Directory traversal vulnerability in the file import feature in Nuxeo ...)
 	NOT-FOR-US: Nuxeo
-CVE-2017-5868
-	RESERVED
+CVE-2017-5868 (CRLF injection vulnerability in the web interface in OpenVPN Access ...)
 	NOT-FOR-US: OpenVPN Access Server
 CVE-2017-5867 (ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, ...)
 	- owncloud <removed>
@@ -32859,7 +32858,7 @@
 	[jessie] - openssl <not-affected> (Introduced in 1.0.2i)
 	[wheezy] - openssl <not-affected> (Introduced in 1.0.2i)
 	NOTE: https://www.openssl.org/news/secadv/20160926.txt
-CVE-2016-7051 (XmlMapper in the Data format extension for Jackson (aka ...)
+CVE-2016-7051 (XmlMapper in the Jackson XML dataformat component (aka ...)
 	- jackson-dataformat-xml 2.8.5-1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1378673#c7
 	NOTE: https://github.com/FasterXML/jackson-dataformat-xml/issues/211
@@ -35385,8 +35384,8 @@
 	NOTE: http://xenbits.xen.org/xsa/advisory-182.html
 CVE-2016-6257 (The firmware in Lenovo Ultraslim dongles, as used with Lenovo Liteon ...)
 	NOT-FOR-US: Lenovo
-CVE-2016-6256
-	RESERVED
+CVE-2016-6256 (SAP Business One for Android 1.2.3 allows remote attackers to conduct ...)
+	TODO: check
 CVE-2016-6254 (Heap-based buffer overflow in the parse_packet function in network.c ...)
 	{DSA-3636-1 DLA-575-1}
 	- collectd 5.5.2-1 (bug #832507)
@@ -40199,8 +40198,7 @@
 	NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bb848feec0f3f10e92dd8e5231ae7aa89b5598f3 (v2.0.0)
 	NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=f32441c69bf450d6ac593c3acd621c37e120cdaf (v1.2.9-maint)
 	NOTE: http://security.libvirt.org/2016/0001.html
-CVE-2016-5007 [Spring Security / MVC Path Matching Inconsistency]
-	RESERVED
+CVE-2016-5007 (Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework ...)
 	- libspring-java 4.3.2-1
 	[jessie] - libspring-java <no-dsa> (Minor issue)
 	[wheezy] - libspring-java <not-affected> (Vulnerable code not present)
@@ -40298,8 +40296,8 @@
 	NOTE: Upstream fix: https://svn.apache.org/r1750779
 CVE-2016-4978 (The getObject method of the javax.jms.ObjectMessage class in the (1) ...)
 	NOT-FOR-US: ApacheMQ Artemis
-CVE-2016-4977
-	RESERVED
+CVE-2016-4977 (When processing authorization requests using the whitelabel views in ...)
+	TODO: check
 CVE-2016-4976 (Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on ...)
 	NOT-FOR-US: Apache Ambari
 CVE-2016-4975
@@ -42089,8 +42087,8 @@
 CVE-2016-4436 (Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers ...)
 	- libstruts1.2-java <not-affected> (Only affects 2.0.0 to 2.3.28.1)
 	NOTE: https://struts.apache.org/docs/s2-035.html
-CVE-2016-4435
-	RESERVED
+CVE-2016-4435 (An endpoint of the Agent running on the BOSH Director VM with stemcell ...)
+	TODO: check
 CVE-2016-4434 [XML External Entity vulnerability]
 	RESERVED
 	- tika <unfixed> (bug #825501)
@@ -45713,8 +45711,8 @@
 	- hadoop <itp> (bug #793644)
 CVE-2016-3085 (Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x ...)
 	NOT-FOR-US: Apache CloudStack
-CVE-2016-3084
-	RESERVED
+CVE-2016-3084 (The UAA reset password flow in Cloud Foundry release v236 and earlier ...)
+	TODO: check
 CVE-2016-3083
 	RESERVED
 	NOT-FOR-US: Apache Hive
@@ -48958,8 +48956,8 @@
 	NOTE: https://issues.apache.org/jira/browse/PROTON-1157
 	NOTE: http://qpid.apache.org/releases/qpid-proton-0.12.1/
 	NOTE: Affects Qpid Proton python API starting at 0.9 up to and including 0.12.0
-CVE-2016-2165
-	RESERVED
+CVE-2016-2165 (The Loggregator Traffic Controller endpoints in cf-release v231 and ...)
+	TODO: check
 CVE-2016-2164 (The (1) FileService.importFileByInternalUserId and (2) ...)
 	NOT-FOR-US: Apache OpenMeetings
 CVE-2016-2163 (Cross-site scripting (XSS) vulnerability in Apache OpenMeetings before ...)
@@ -53974,10 +53972,10 @@
 CVE-2016-0782 (The administration web console in Apache ActiveMQ 5.x before 5.11.4, ...)
 	- activemq <not-affected> (Admin console not enabled in the Debian package, see #702670)
 	NOTE: https://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt
-CVE-2016-0781
-	RESERVED
-CVE-2016-0780
-	RESERVED
+CVE-2016-0781 (The UAA OAuth approval pages in Cloud Foundry v208 to v231, ...)
+	TODO: check
+CVE-2016-0780 (It was discovered that cf-release v231 and lower, Pivotal Cloud ...)
+	TODO: check
 CVE-2016-0779 (The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x ...)
 	NOT-FOR-US: Apache TomEE
 CVE-2016-0778 (The (1) roaming_read and (2) roaming_write functions in ...)
@@ -54068,8 +54066,8 @@
 	NOTE: Fixed by: http://svn.apache.org/r1758501 (8.0.x)
 	NOTE: Fixed by: http://svn.apache.org/r1758502 (7.0.x)
 	NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1758506 (6.0.x)
-CVE-2016-0761
-	RESERVED
+CVE-2016-0761 (Cloud Foundry Garden-Linux versions prior to v0.333.0 and Elastic ...)
+	TODO: check
 CVE-2016-0760 (Multiple incomplete blacklist vulnerabilities in Apache Sentry before ...)
 	NOT-FOR-US: Apache Hive
 CVE-2016-0759
@@ -65773,8 +65771,7 @@
 	{DSA-3394-1}
 	- libreoffice 1:5.0.1~rc1-1
 	NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2015-5212/
-CVE-2015-5211
-	RESERVED
+CVE-2015-5211 (Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to ...)
 	- libspring-java 4.1.9-1
 	[jessie] - libspring-java <no-dsa> (Minor issue)
 	[wheezy] - libspring-java <no-dsa> (Minor issue)
@@ -71600,12 +71597,12 @@
 	[wheezy] - libspring-java <no-dsa> (Minor issue)
 	NOTE: https://pivotal.io/security/cve-2015-3192
 	NOTE: https://jira.spring.io/browse/SPR-13136
-CVE-2015-3191
-	RESERVED
-CVE-2015-3190
-	RESERVED
-CVE-2015-3189
-	RESERVED
+CVE-2015-3191 (With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA ...)
+	TODO: check
+CVE-2015-3190 (With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA ...)
+	TODO: check
+CVE-2015-3189 (With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA ...)
+	TODO: check
 CVE-2015-3188 (The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote ...)
 	NOT-FOR-US: Apache Storm
 CVE-2015-3187 (The svn_repos_trace_node_locations function in Apache Subversion ...)
@@ -75772,8 +75769,8 @@
 CVE-2015-1835
 	RESERVED
 	NOT-FOR-US: Apache Cordova
-CVE-2015-1834
-	RESERVED
+CVE-2015-1834 (A path traversal vulnerability was identified in the Cloud Foundry ...)
+	TODO: check
 CVE-2015-1833 (XML external entity (XXE) vulnerability in Apache Jackrabbit before ...)
 	{DSA-3298-1}
 	- jackrabbit 2.10.1-1 (bug #787316)
@@ -97306,8 +97303,7 @@
 	- libapache-poi-java 3.10.1-1
 	[wheezy] - libapache-poi-java <no-dsa> (Minor issue)
 	NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=56164
-CVE-2014-3527
-	RESERVED
+CVE-2014-3527 (When using the CAS Proxy ticket authentication from Spring Security ...)
 	- libspring-security-java <itp> (bug #582181)
 CVE-2014-3526
 	RESERVED
@@ -106997,8 +106993,7 @@
 CVE-2014-0226 (Race condition in the mod_status module in the Apache HTTP Server ...)
 	{DSA-2989-1 DLA-66-1}
 	- apache2 2.4.10-1
-CVE-2014-0225 [Information disclosure via SSRF]
-	RESERVED
+CVE-2014-0225 (When processing user provided XML documents, the Spring Framework ...)
 	- libspring-java 3.0.6.RELEASE-14 (low; bug #753470)
 	[squeeze] - libspring-java <no-dsa> (Minor issue)
 	[wheezy] - libspring-java <no-dsa> (Minor issue)
@@ -107499,8 +107494,7 @@
 	[squeeze] - apache2 <not-affected> (Vulnerable code not present)
 	[wheezy] - apache2 <not-affected> (Vulnerable code not present)
 	NOTE: Looks like it was introduced in 2.2.23 which would mean that squeeze+wheezy are not affected. sf: waiting for confirmation.
-CVE-2014-0097
-	RESERVED
+CVE-2014-0097 (The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 ...)
 	- libspring-java <not-affected> (ActiveDirectoryLdapAuthenticator not yet present, introduced in 3.1)
 CVE-2014-0096 (java/org/apache/catalina/servlets/DefaultServlet.java in the default ...)
 	{DSA-3530-1}
@@ -120719,6 +120713,7 @@
 	RESERVED
 	- chicken <not-affected> (Incomplete fix was never applied)
 CVE-2013-2074 (kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows ...)
+	{DLA-952-1}
 	- kde4libs 4:4.10.5-1 (low; bug #707776)
 	[squeeze] - kde4libs <no-dsa> (Minor issue)
 	NOTE: https://bugs.kde.org/show_bug.cgi?id=319428

More information about the Secure-testing-commits mailing list