[Secure-testing-commits] r52132 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Tue May 30 21:10:15 UTC 2017
Author: sectracker
Date: 2017-05-30 21:10:14 +0000 (Tue, 30 May 2017)
New Revision: 52132
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-05-30 20:52:17 UTC (rev 52131)
+++ data/CVE/list 2017-05-30 21:10:14 UTC (rev 52132)
@@ -1,4 +1,5 @@
CVE-2017-1000367 [Potential overwrite of arbitrary files]
+ {DSA-3867-1}
- sudo <unfixed> (bug #863731)
NOTE: https://www.sudo.ws/alerts/linux_tty.html
NOTE: http://www.openwall.com/lists/oss-security/2017/05/30/16
@@ -158,6 +159,7 @@
CVE-2017-9240
RESERVED
CVE-2016-10376 (Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote ...)
+ {DLA-967-1}
- gajim 0.16.6-1.1 (bug #863445)
NOTE: https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc
NOTE: https://dev.gajim.org/gajim/gajim/issues/8378
@@ -784,9 +786,11 @@
NOT-FOR-US: Secure Bytes Cisco Configuration Manager
CVE-2017-9023
RESERVED
+ {DSA-3866-1}
- strongswan 5.5.1-4
CVE-2017-9022
RESERVED
+ {DSA-3866-1}
- strongswan 5.5.1-4
CVE-2017-9021 (The vrend_clear dispatch function in vrend_renderer.c in virglrenderer ...)
- virglrenderer <unfixed>
@@ -1174,6 +1178,7 @@
CVE-2017-8856 (In Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and ...)
NOT-FOR-US: Veritas NetBackup
CVE-2016-10371 (The TIFFWriteDirectoryTagCheckedRational function in tif_dirwrite.c in ...)
+ {DLA-969-1}
- tiff 4.0.7-7 (low; bug #862929)
[jessie] - tiff <no-dsa> (Minor issue)
- tiff3 <removed>
@@ -2212,15 +2217,15 @@
CVE-2015-9056
RESERVED
CVE-2017-8905 (Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, ...)
- {DSA-3847-1}
+ {DSA-3847-1 DLA-964-1}
- xen 4.8.0~rc3-1 (bug #861662)
NOTE: https://xenbits.xen.org/xsa/advisory-215.html
CVE-2017-8904 (Xen through 4.8.x mishandles the "contains segment descriptors" ...)
- {DSA-3847-1}
+ {DSA-3847-1 DLA-964-1}
- xen 4.8.1-1+deb9u1 (bug #861660)
NOTE: https://xenbits.xen.org/xsa/advisory-214.html
CVE-2017-8903 (Xen through 4.8.x on 64-bit platforms mishandles page tables after an ...)
- {DSA-3847-1}
+ {DSA-3847-1 DLA-964-1}
- xen 4.8.1-1+deb9u1 (bug #861659)
NOTE: https://xenbits.xen.org/xsa/advisory-213.html
CVE-2017-8418 (RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing ...)
@@ -3076,6 +3081,7 @@
CVE-2017-8087
RESERVED
CVE-2017-8086 (Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in ...)
+ {DLA-965-1}
- qemu 1:2.8+dfsg-5 (bug #861348)
- qemu-kvm <removed>
NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4ffcdef4277a91af15a3c09f7d16af072c29f3f2 (v2.9.0-rc4)
@@ -3337,6 +3343,7 @@
CVE-2017-7996
RESERVED
CVE-2017-7995 (Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges ...)
+ {DLA-964-1}
- xen 4.3.0-1
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1033948
CVE-2017-7994 (The function TextExtractor::ExtractText in TextExtractor.cpp:77 in ...)
@@ -4781,8 +4788,8 @@
RESERVED
CVE-2017-7512
RESERVED
-CVE-2017-7511
- RESERVED
+CVE-2017-7511 (poppler since version 0.17.3 has been vulnerable to NULL pointer ...)
+ TODO: check
CVE-2017-7510
RESERVED
CVE-2017-7509
@@ -4800,8 +4807,7 @@
NOT-FOR-US: Red Hat JBoss
CVE-2017-7503 (It was found that the Red Hat JBoss EAP 7.0.5 implementation of ...)
NOT-FOR-US: Red Hat JBoss EAP implementation of javax.xml.transform.TransformerFactory
-CVE-2017-7502
- RESERVED
+CVE-2017-7502 (Null pointer dereference vulnerability in NSS since 3.24.0 was found ...)
[experimental] - nss 2:3.29-1
- nss <unfixed>
NOTE: https://hg.mozilla.org/projects/nss/rev/55ea60effd0d
@@ -4823,12 +4829,12 @@
[jessie] - linux 3.16.39-1
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by: https://git.kernel.org/linus/06bd3c36a733ac27962fea7d6f47168841376824
-CVE-2017-7494
- RESERVED
+CVE-2017-7494 (Samba since version 3.5.0 is vulnerable to remote code execution ...)
{DSA-3860-1 DLA-951-1}
- samba 2:4.5.8+dfsg-2
NOTE: https://www.samba.org/samba/security/CVE-2017-7494.html
CVE-2017-7493 (Quick Emulator (Qemu) built with the VirtFS, host directory sharing ...)
+ {DLA-965-1}
- qemu 1:2.8+dfsg-6
- qemu-kvm <removed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1451709
@@ -5210,21 +5216,25 @@
CVE-2017-7384
RESERVED
CVE-2017-7383 (The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows remote ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #859329)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
NOTE: https://github.com/asarubbo/poc/blob/master/00252-podofo-nullptr4
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848
CVE-2017-7382 (The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows remote ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #859329)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr3
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848
CVE-2017-7381 (The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attackers ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #859329)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr2
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848
CVE-2017-7380 (The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote attackers ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #859329)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
NOTE: https://github.com/asarubbo/poc/blob/master/00250-podofo-nullptr1
@@ -5235,10 +5245,12 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/2
NOTE: upstream fix: https://sourceforge.net/p/podofo/code/1842/
CVE-2017-7378 (The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoFo ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #859330)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/1
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1847
CVE-2017-7377 (The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in ...)
+ {DLA-965-1}
- qemu 1:2.8+dfsg-4 (bug #859854)
[jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
@@ -7945,11 +7957,13 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/10
NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp
CVE-2017-6848 (The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #861565)
NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/9
NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1846
CVE-2017-6847 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #861564)
NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/8
NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h
@@ -7977,12 +7991,14 @@
NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp
NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/
CVE-2017-6843 (Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #861560)
NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/4
NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1845
CVE-2017-6842 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #861559)
NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/3
NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp
@@ -7997,6 +8013,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/2
NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h
CVE-2017-6840 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in ...)
+ {DLA-968-1}
- libpodofo 0.9.4-6 (bug #861557)
NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/1
NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp
@@ -15977,7 +15994,7 @@
- libcrypto++ 5.6.4-5 (bug #848009)
NOTE: https://github.com/weidai11/cryptopp/issues/346
CVE-2016-9932 (CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows ...)
- {DSA-3847-1}
+ {DSA-3847-1 DLA-964-1}
- xen 4.8.0~rc3-1 (bug #848081)
NOTE: https://xenbits.xen.org/xsa/advisory-200.html
CVE-2016-9931
@@ -19960,30 +19977,30 @@
NOT-FOR-US: Juniper
CVE-2017-2312 (On Juniper Networks devices running Junos OS affected versions and ...)
NOT-FOR-US: Juniper
-CVE-2017-2311
- RESERVED
-CVE-2017-2310
- RESERVED
-CVE-2017-2309
- RESERVED
-CVE-2017-2308
- RESERVED
-CVE-2017-2307
- RESERVED
-CVE-2017-2306
- RESERVED
-CVE-2017-2305
- RESERVED
-CVE-2017-2304
- RESERVED
-CVE-2017-2303
- RESERVED
-CVE-2017-2302
- RESERVED
-CVE-2017-2301
- RESERVED
-CVE-2017-2300
- RESERVED
+CVE-2017-2311 (On Juniper Networks Junos Space versions prior to 16.1R1, an ...)
+ TODO: check
+CVE-2017-2310 (A firewall bypass vulnerability in the host based firewall of Juniper ...)
+ TODO: check
+CVE-2017-2309 (On Juniper Networks Junos Space versions prior to 16.1R1 when ...)
+ TODO: check
+CVE-2017-2308 (An XML External Entity Injection vulnerability in Juniper Networks ...)
+ TODO: check
+CVE-2017-2307 (A reflected cross site scripting vulnerability in the administrative ...)
+ TODO: check
+CVE-2017-2306 (On Juniper Networks Junos Space versions prior to 16.1R1, due to an ...)
+ TODO: check
+CVE-2017-2305 (On Juniper Networks Junos Space versions prior to 16.1R1, due to an ...)
+ TODO: check
+CVE-2017-2304 (Juniper Networks QFX3500, QFX3600, QFX5100, QFX5200, EX4300 and EX4600 ...)
+ TODO: check
+CVE-2017-2303 (On Juniper Networks products or platforms running Junos OS 12.1X46 ...)
+ TODO: check
+CVE-2017-2302 (On Juniper Networks products or platforms running Junos OS 12.1X46 ...)
+ TODO: check
+CVE-2017-2301 (On Juniper Networks products or platforms running Junos OS 11.4 prior ...)
+ TODO: check
+CVE-2017-2300 (On Juniper Networks SRX Series Services Gateways chassis clusters ...)
+ TODO: check
CVE-2017-2299
RESERVED
CVE-2017-2298
@@ -24529,6 +24546,7 @@
NOTE: Upstream patch http://git.qemu-project.org/?p=qemu.git;a=commit;h=50628d3479e4f9aa97e323506856e394fe7ad7a6
CVE-2016-9602 [9p: virtfs allows guest to access host filesystem]
RESERVED
+ {DLA-965-1}
- qemu 1:2.8+dfsg-3 (bug #853006)
[jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
@@ -37499,6 +37517,7 @@
CVE-2016-5736 (The default configuration of the IPsec IKE peer listener in F5 BIG-IP ...)
NOT-FOR-US: BIG-IP
CVE-2016-5735 (Integer overflow in the rwpng_read_image24_libpng function in rwpng.c ...)
+ {DLA-966-1}
- pngquant <unfixed> (bug #863469)
NOTE: https://github.com/pornel/pngquant/commit/b7c217680cda02dddced245d237ebe8c383be285
CVE-2016-5734 (phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x ...)
@@ -44471,7 +44490,7 @@
NOTE: http://bugs.cacti.net/view.php?id=2673
NOTE: Requires authenticated user
CVE-2016-3658 (The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in ...)
- {DSA-3844-1}
+ {DSA-3844-1 DLA-969-1}
- tiff 4.0.6-3 (low)
- tiff3 <removed> (low)
[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
@@ -45880,8 +45899,7 @@
NOT-FOR-US: Apache CloudStack
CVE-2016-3084 (The UAA reset password flow in Cloud Foundry release v236 and earlier ...)
NOT-FOR-US: Cloud Foundry
-CVE-2016-3083
- RESERVED
+CVE-2016-3083 (Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP ...)
NOT-FOR-US: Apache Hive
CVE-2016-3082 (XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before ...)
- libstruts1.2-java <not-affected> (Only affects Struts 2.x)
@@ -97189,7 +97207,7 @@
[squeeze] - apache2 <not-affected> (no mod_proxy_fcgi in 2.2)
NOTE: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c?r1=1618401&r2=1638818
NOTE: Only exploitable by a malicious fcgi script.
-CVE-2014-3582 (The certificate signing REST API in Apache Ambari before 2.4.0 allows ...)
+CVE-2014-3582 (In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary ...)
NOT-FOR-US: Apache Ambari
CVE-2014-3581 (The cache_merge_headers_out function in modules/cache/cache_util.c in ...)
{DLA-71-1}
More information about the Secure-testing-commits
mailing list