[Secure-testing-commits] r57002 - data/CVE

security tracker role sectracker at moszumanska.debian.org
Thu Oct 26 21:10:15 UTC 2017 

Author: sectracker
Date: 2017-10-26 21:10:14 +0000 (Thu, 26 Oct 2017)
New Revision: 57002

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-10-26 20:59:27 UTC (rev 57001)
+++ data/CVE/list	2017-10-26 21:10:14 UTC (rev 57002)
@@ -1,4 +1,16 @@
-CVE-2017-15919
+CVE-2017-15922 (In GNU Libextractor 1.4, there is an out-of-bounds read in the ...)
+	TODO: check
+CVE-2017-15921
+	RESERVED
+CVE-2017-15920
+	RESERVED
+CVE-2017-15918
+	RESERVED
+CVE-2017-15917 (In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to create ...)
+	TODO: check
+CVE-2017-15908 (In systemd 223 through 235, a remote DNS server can respond with a ...)
+	TODO: check
+CVE-2017-15919 (The ultimate-form-builder-lite plugin before 1.3.7 for WordPress has ...)
 	NOT-FOR-US: WordPress plugin ultimate-form-builder-lite
 CVE-2017-15916
 	RESERVED
@@ -10,8 +22,8 @@
 	RESERVED
 CVE-2017-15912
 	RESERVED
-CVE-2017-15911
-	RESERVED
+CVE-2017-15911 (The Admin Console in Ignite Realtime Openfire Server before 4.1.7 ...)
+	TODO: check
 CVE-2017-15910
 	RESERVED
 CVE-2017-15909 (D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, ...)
@@ -1229,8 +1241,8 @@
 	NOTE: https://github.com/radare/radare2/commit/52b1526443c1f433087928291d1c3d37a5600515
 CVE-2017-15367
 	RESERVED
-CVE-2017-15366
-	RESERVED
+CVE-2017-15366 (Before Thornberry NDoc version 8.0, laptop clients and the server have ...)
+	TODO: check
 CVE-2017-15365
 	RESERVED
 CVE-2017-15364 (The foreach function in ext/ccsv.c in Ccsv 1.1.0 allows remote ...)
@@ -1903,8 +1915,8 @@
 	RESERVED
 CVE-2017-15097
 	RESERVED
-CVE-2017-15096
-	RESERVED
+CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...)
+	TODO: check
 CVE-2017-15095
 	RESERVED
 CVE-2017-15094
@@ -2663,6 +2675,7 @@
 	NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
 	NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): corrupted unsorted chunks" without valgrind).
 CVE-2017-14864 (An Invalid memory address dereference was discovered in Exiv2::getULong ...)
+	{DLA-1147-1}
 	- exiv2 <unfixed>
 	NOTE: https://github.com/Exiv2/exiv2/issues/73
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494467
@@ -2680,6 +2693,7 @@
 	NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
 	NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): invalid next size (fast)" without valgrind).
 CVE-2017-14862 (An Invalid memory address dereference was discovered in ...)
+	{DLA-1147-1}
 	- exiv2 <unfixed>
 	NOTE: https://github.com/Exiv2/exiv2/issues/75
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494786
@@ -2706,6 +2720,7 @@
 	NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
 	NOTE: Reproducible in experimental(0.26-1) with valgrind (and segfault without valgrind).
 CVE-2017-14859 (An Invalid memory address dereference was discovered in ...)
+	{DLA-1147-1}
 	- exiv2 <unfixed>
 	NOTE: https://github.com/Exiv2/exiv2/issues/74
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494780
@@ -7684,6 +7699,7 @@
 CVE-2017-12972 (In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when ...)
 	NOT-FOR-US: Nimbus JOSE + JWT
 CVE-2017-12976 (git-annex before 6.20170818 allows remote attackers to execute ...)
+	{DLA-1144-1}
 	- git-annex 6.20170818-1 (bug #873088)
 	NOTE: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471
 	NOTE: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=c24d0f0e8984576654e2be149005bc884fe0403a
@@ -10424,14 +10440,11 @@
 	RESERVED
 CVE-2017-12161
 	RESERVED
-CVE-2017-12160
-	RESERVED
+CVE-2017-12160 (It was found that Keycloak oauth would permit an authenticated ...)
 	NOT-FOR-US: Keycloak
-CVE-2017-12159
-	RESERVED
+CVE-2017-12159 (It was found that the cookie used for CSRF prevention in Keycloak was ...)
 	NOT-FOR-US: Keycloak
-CVE-2017-12158
-	RESERVED
+CVE-2017-12158 (It was found that Keycloak would accept a HOST header URL in the admin ...)
 	NOT-FOR-US: Keycloak
 CVE-2017-12157 (In Moodle 3.x, various course reports allow teachers to view details ...)
 	- moodle <removed>
@@ -11617,6 +11630,7 @@
 	- libav <removed>
 	- ffmpeg 7:2.3.1-1
 CVE-2017-11683 (There is a reachable assertion in the ...)
+	{DLA-1147-1}
 	- exiv2 <unfixed> (low)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	[jessie] - exiv2 <no-dsa> (Minor issue)
@@ -11974,6 +11988,7 @@
 	NOTE: Not reproducible in wheezy/jessie/stretch/sid(0.25-3.1).
 	NOTE: Reproducible in experimental with version 0.26-1.
 CVE-2017-11591 (There is a Floating point exception in the Exiv2::ValueType function in ...)
+	{DLA-1147-1}
 	- exiv2 <unfixed> (low; bug #876893)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	[jessie] - exiv2 <no-dsa> (Minor issue)
@@ -15260,6 +15275,7 @@
 	NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be
 	NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations
 CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is ...)
+	{DLA-1146-1}
 	- mosquitto <unfixed> (bug #865959)
 	[stretch] - mosquitto <no-dsa> (Minor issue)
 	[jessie] - mosquitto <no-dsa> (Minor issue)
@@ -23509,8 +23525,8 @@
 	NOT-FOR-US: Fortinet FortiOS
 CVE-2017-7733
 	RESERVED
-CVE-2017-7732
-	RESERVED
+CVE-2017-7732 (A reflected Cross-Site Scripting (XSS) vulnerability in Fortinet ...)
+	TODO: check
 CVE-2017-7731 (A weak password recovery vulnerability in Fortinet FortiPortal ...)
 	NOT-FOR-US: Fortinet FortiPortal
 CVE-2017-7730 (iSmartAlarm cube devices allow Denial of Service. Sending a SYN flood ...)
@@ -24935,8 +24951,8 @@
 	NOT-FOR-US: Fortinet FortiPortal
 CVE-2017-7342
 	RESERVED
-CVE-2017-7341
-	RESERVED
+CVE-2017-7341 (An OS Command Injection vulnerability in Fortinet FortiWLC 6.1-2 ...)
+	TODO: check
 CVE-2017-7340
 	RESERVED
 CVE-2017-7339 (A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions ...)
@@ -24947,8 +24963,8 @@
 	NOT-FOR-US: Fortinet FortiPortal
 CVE-2017-7336 (A hard-coded account named 'upgrade' in Fortinet FortiWLM 8.3.0 and ...)
 	NOT-FOR-US: Fortinet
-CVE-2017-7335
-	RESERVED
+CVE-2017-7335 (A Cross-Site Scripting (XSS) vulnerability in Fortinet FortiWLC 6.1-x ...)
+	TODO: check
 CVE-2017-7334
 	RESERVED
 CVE-2017-7333
@@ -29019,8 +29035,8 @@
 	NOT-FOR-US: InterSect Alliance SNARE Epilog
 CVE-2017-5997 (The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows ...)
 	NOT-FOR-US: SAP Message Server
-CVE-2017-5996
-	RESERVED
+CVE-2017-5996 (The agent in Bomgar Remote Support 15.2.x before 15.2.3, 16.1.x before ...)
+	TODO: check
 CVE-2017-5995 (The NetApp ONTAP Select Deploy administration utility 2.0 through ...)
 	NOT-FOR-US: NetApp ONTAP Select Deploy administration utility
 CVE-2017-14431 (Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a ...)
@@ -30459,6 +30475,7 @@
 	NOTE: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
 	NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/2
 CVE-2017-5595 (A file disclosure and inclusion vulnerability exists in ...)
+	{DLA-1145-1}
 	- zoneminder 1.30.4+dfsg-1 (bug #854733)
 	NOTE: Check https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3
 CVE-2017-5594 (An issue was discovered in Pagekit CMS before 1.0.11. In this ...)
@@ -35661,8 +35678,8 @@
 	RESERVED
 CVE-2017-3772
 	RESERVED
-CVE-2017-3771
-	RESERVED
+CVE-2017-3771 (System boot process is not adequately secured In Lenovo E95 and ...)
+	TODO: check
 CVE-2017-3770 (Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 ...)
 	NOT-FOR-US: Lenovo LXCA
 CVE-2017-3769
@@ -121835,8 +121852,7 @@
 	NOT-FOR-US: Intrexx
 CVE-2014-2024 (Cross-site scripting (XSS) vulnerability in ...)
 	NOT-FOR-US: Open Classifieds
-CVE-2014-2023
-	RESERVED
+CVE-2014-2023 (Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 ...)
 	NOT-FOR-US: vBulletin
 CVE-2014-2022 (SQL injection vulnerability in includes/api/4/breadcrumbs_create.php ...)
 	NOT-FOR-US: vBulletin
@@ -152960,14 +152976,12 @@
 	[squeeze] - mediawiki <end-of-life>
 	NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
 	NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6
-CVE-2012-4378 [DOM-based XSS]
-	RESERVED
+CVE-2012-4378 (Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki ...)
 	- mediawiki 1:1.19.2-1 (bug #686330)
 	[squeeze] - mediawiki <end-of-life>
 	NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=37587
 	NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6
-CVE-2012-4377 [[mediawiki stored XSS]
-	RESERVED
+CVE-2012-4377 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 ...)
 	- mediawiki 1:1.19.2-1 (bug #686330)
 	[squeeze] - mediawiki <not-affected> (Introduced in 1.16)
 	NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39700
@@ -160042,8 +160056,7 @@
 	NOT-FOR-US: Drupal addon module not packaged in Debian
 CVE-2012-1623 (The Registration Codes module before 6.x-2.4 for Drupal does not ...)
 	NOT-FOR-US: Drupal addon module not packaged in Debian
-CVE-2012-1622
-	RESERVED
+CVE-2012-1622 (Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to ...)
 	NOT-FOR-US: Apache OFBiz
 CVE-2012-1621 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For ...)
 	NOT-FOR-US: Apache OFBiz

More information about the Secure-testing-commits mailing list