[Secure-testing-commits] r57146 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Mon Oct 30 21:10:16 UTC 2017
Author: sectracker
Date: 2017-10-30 21:10:16 +0000 (Mon, 30 Oct 2017)
New Revision: 57146
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-10-30 21:06:22 UTC (rev 57145)
+++ data/CVE/list 2017-10-30 21:10:16 UTC (rev 57146)
@@ -1,3 +1,9 @@
+CVE-2017-16232
+ RESERVED
+CVE-2017-16231
+ RESERVED
+CVE-2017-16230 (In admin/write-post.php in Typecho through 1.1, one can log in to the ...)
+ TODO: check
CVE-2017-16229
RESERVED
CVE-2017-16228 (Dulwich before 0.18.5, when an SSH subprocess is used, allows remote ...)
@@ -8,6 +14,7 @@
NOTE: This is similar class of issue as for CVE-2017-1000117/git
NOTE: But needs a separate CVE since different codebasis.
CVE-2017-16227 (The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 ...)
+ {DSA-4011-1}
- quagga <unfixed> (bug #879474)
NOTE: https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html
NOTE: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008
@@ -1049,10 +1056,10 @@
- libextractor <unfixed> (low; bug #880016)
NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html
NOTE: Fixed by: https://gnunet.org/git/libextractor.git/commit/?id=d4d488b0e5ab13dda241d688d87a07816368f117
-CVE-2017-15921
- RESERVED
-CVE-2017-15920
- RESERVED
+CVE-2017-15921 (In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro ...)
+ TODO: check
+CVE-2017-15920 (In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro ...)
+ TODO: check
CVE-2017-15918
RESERVED
CVE-2017-15917 (In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to create ...)
@@ -1125,8 +1132,8 @@
RESERVED
CVE-2017-15889
RESERVED
-CVE-2017-15888
- RESERVED
+CVE-2017-15888 (Cross-site scripting (XSS) vulnerability in Custom Internet Radio List ...)
+ TODO: check
CVE-2017-15887
RESERVED
CVE-2017-15886
@@ -1767,8 +1774,7 @@
RESERVED
CVE-2017-15598
RESERVED
-CVE-2017-15597
- RESERVED
+CVE-2017-15597 (An issue was discovered in Xen through 4.9.x. Grant copying code made ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-236.html
CVE-2017-15586
@@ -3096,8 +3102,7 @@
NOTE: https://security.libvirt.org/2017/0002.html
NOTE: Broken by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=ce61c16450d4992612d1fc6f39a39e79bfccead5 (master)
NOTE: Fixed by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=441d3eb6d1be940a67ce45a286602a967601b157 (master)
-CVE-2017-1000255 [kernel memory overwrite in transactional memory handling]
- RESERVED
+CVE-2017-1000255 (On Linux running on PowerPC hardware (Power8 or later) a user process ...)
- linux 4.13.4-2
[jessie] - linux <not-affected> (Vulnerable code introduced later)
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
@@ -3650,8 +3655,7 @@
NOT-FOR-US: Tine groupware
CVE-2017-14920 (Stored XSS vulnerability in eGroupware Community Edition before ...)
NOT-FOR-US: eGroupware
-CVE-2017-14919
- RESERVED
+CVE-2017-14919 (Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows ...)
- nodejs <unfixed> (unimportant)
NOTE: Debian doesn't use zlib 1.2.9 yet
NOTE: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
@@ -10769,8 +10773,8 @@
RESERVED
CVE-2017-12461
RESERVED
-CVE-2017-12460
- RESERVED
+CVE-2017-12460 (Unspecified vulnerability in Barco ClickShare CSM-1 firmware before ...)
+ TODO: check
CVE-2017-12459 (The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the ...)
- binutils 2.29-8
[stretch] - binutils <ignored> (Minor issue)
@@ -17696,8 +17700,8 @@
NOT-FOR-US: Oracle
CVE-2017-10152 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...)
NOT-FOR-US: Oracle
-CVE-2017-10151
- RESERVED
+CVE-2017-10151 (Vulnerability in the Oracle Identity Manager component of Oracle ...)
+ TODO: check
CVE-2017-10150 (Vulnerability in the Primavera Unifier component of Oracle Primavera ...)
NOT-FOR-US: Primavera
CVE-2017-10149 (Vulnerability in the Primavera Unifier component of Oracle Primavera ...)
@@ -19228,8 +19232,8 @@
- piwigo <removed>
CVE-2017-9451 (Cross site scripting (XSS) vulnerability in pages.edit_form.php in ...)
NOT-FOR-US: flatCore CMS
-CVE-2017-9450
- RESERVED
+CVE-2017-9450 (The Amazon Web Services (AWS) CloudFormation bootstrap tools package ...)
+ TODO: check
CVE-2017-9449 (SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote ...)
NOT-FOR-US: BigTree CMS
CVE-2017-9448 (Cross-site scripting (XSS) vulnerabilities in BigTree CMS through ...)
@@ -19477,8 +19481,8 @@
NOT-FOR-US: BigTree CMS
CVE-2017-9378 (BigTree CMS through 4.2.18 does not prevent a user from deleting their ...)
NOT-FOR-US: BigTree CMS
-CVE-2017-9377
- RESERVED
+CVE-2017-9377 (A command injection was identified on Barco ClickShare Base Unit ...)
+ TODO: check
CVE-2017-9376
RESERVED
CVE-2017-9375 (QEMU (aka Quick Emulator), when built with USB xHCI controller ...)
@@ -25815,8 +25819,8 @@
- php-horde-crypt 2.7.5-2 (bug #859635)
CVE-2017-7412 (NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which ...)
NOT-FOR-US: NixOS specific Docker issue
-CVE-2017-7411
- RESERVED
+CVE-2017-7411 (An issue was discovered in Enalean Tuleap 9.6 and prior versions. The ...)
+ TODO: check
CVE-2017-7410 (Multiple SQL injection vulnerabilities in account/signup.php and ...)
NOT-FOR-US: WebsiteBaker
CVE-2017-7409 (Palo Alto Networks PAN-OS before 7.0.15 has XSS in the GlobalProtect ...)
@@ -67327,8 +67331,8 @@
NOTE: https://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
CVE-2016-3091 (Cloud Foundry Diego 0.1468.0 through 0.1470.0 allows remote attackers ...)
NOT-FOR-US: Cloud Foundry Diego
-CVE-2016-3090
- RESERVED
+CVE-2016-3090 (The TextParseUtil.translateVariables method in Apache Struts 2.x ...)
+ TODO: check
CVE-2016-3089 (Cross-site scripting (XSS) vulnerability in the SWF panel in Apache ...)
NOT-FOR-US: Apache OpenMeetings
CVE-2016-3088 (The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 ...)
@@ -80920,8 +80924,7 @@
- linux 4.3.3-3
- linux-2.6 <removed>
NOTE: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d (v4.4-rc8)
-CVE-2015-7549 [pci: msi-x: null pointer dereference issue]
- RESERVED
+CVE-2015-7549 (The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) ...)
{DSA-3471-1}
- qemu 1:2.5+dfsg-1 (bug #808131)
[wheezy] - qemu <not-affected> (Vulnerable code not present)
@@ -92804,8 +92807,8 @@
CVE-2015-3250 (Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct ...)
- apache-directory-api 1.0.0~M20-3 (bug #791957)
NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/5
-CVE-2015-3249
- RESERVED
+CVE-2015-3249 (The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before ...)
+ TODO: check
CVE-2015-3248 (openhpi/Makefile.am in OpenHPI before 3.6.0 uses world-writable ...)
- openhpi <not-affected> (Only affects RPM packaging, in Debian directory is not world-writable, bug #789543)
CVE-2015-3247 (Race condition in the worker_update_monitors_config function in SPICE ...)
@@ -104477,15 +104480,13 @@
- wss4j 1.6.15-2 (bug #777741)
[wheezy] - wss4j <not-affected> (Vulnerable code not present)
[squeeze] - wss4j <not-affected> (Vulnerable code not present)
-CVE-2015-0226
- RESERVED
+CVE-2015-0226 (Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks ...)
- wss4j 1.6.15-2 (bug #777741)
[wheezy] - wss4j <not-affected> (Vulnerable code not present)
[squeeze] - wss4j <not-affected> (Vulnerable code not present)
CVE-2015-0225 (The default configuration in Apache Cassandra 1.2.0 through 1.2.19, ...)
- cassandra <itp> (bug #585905)
-CVE-2015-0224 [qpidd can be crashed by unauthenticated user]
- RESERVED
+CVE-2015-0224 (qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause ...)
- qpid-cpp <not-affected> (Incomplete fix for CVE-2015-0203 not applied)
NOTE: CVE is for incomplete fix for CVE-2015-0203, which is not fixed in Debian
NOTE: https://issues.apache.org/jira/browse/QPID-6310
@@ -118280,8 +118281,7 @@
NOTE: https://github.com/spring-projects/spring-framework/commit/3f68cd633f03370d33c2603a6496e81273782601 (3.2.x)
NOTE: https://jira.spring.io/browse/SPR-12354
NOTE: http://www.pivotal.io/security/cve-2014-3625
-CVE-2014-3624 [Ensure remap requests are properly tunneled using CONNECT requests to avoid an open relay]
- RESERVED
+CVE-2014-3624 (Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to ...)
- trafficserver 5.0.0-1
[wheezy] - trafficserver <not-affected> (Only affects 4.0.2 to 4.1.2)
NOTE: https://issues.apache.org/jira/browse/TS-2677
@@ -118728,8 +118728,8 @@
NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=56164
CVE-2014-3527 (When using the CAS Proxy ticket authentication from Spring Security ...)
- libspring-security-java <itp> (bug #582181)
-CVE-2014-3526
- RESERVED
+CVE-2014-3526 (Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before ...)
+ TODO: check
CVE-2014-3525 (Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, ...)
- trafficserver 5.0.1-1 (low)
[wheezy] - trafficserver <no-dsa> (Minor issue)
@@ -128822,8 +128822,8 @@
CVE-2014-0116 (CookieInterceptor in Apache Struts 2.x before 2.3.16.3, when a ...)
- libstruts1.2-java <not-affected> (Struts 2.0.0 through to Struts 2.3.16.2)
NOTE: https://cwiki.apache.org/confluence/display/WW/S2-022
-CVE-2014-0115
- RESERVED
+CVE-2014-0115 (Directory traversal vulnerability in the log viewer in Apache Storm ...)
+ TODO: check
CVE-2014-0114 (Apache Commons BeanUtils, as distributed in ...)
{DSA-2940-1 DLA-57-1}
- libstruts1.2-java 1.2.9-9 (bug #745897)
@@ -128992,11 +128992,9 @@
- tomcat6 6.0.41-1
CVE-2014-0074 (Apache Shiro 1.x before 1.2.3, when using an LDAP server with ...)
- shiro 1.2.3-1
-CVE-2014-0073
- RESERVED
+CVE-2014-0073 (The CDVInAppBrowser class in the Apache Cordova In-App-Browser ...)
NOT-FOR-US: Apache Cordova
-CVE-2014-0072
- RESERVED
+CVE-2014-0072 (ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone ...)
NOT-FOR-US: Apache Cordova
CVE-2014-0071 (PackStack in Red Hat OpenStack 4.0 does not enforce the default ...)
- neutron 2014.1-1
@@ -135948,8 +135946,8 @@
CVE-2013-4367
RESERVED
NOT-FOR-US: ovirt
-CVE-2013-4366
- RESERVED
+CVE-2013-4366 (http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x ...)
+ TODO: check
CVE-2013-4365 (Heap-based buffer overflow in the fcgid_header_bucket_read function in ...)
{DSA-2778-1}
- libapache2-mod-fcgid 1:2.3.9-1 (bug #725942)
@@ -136393,8 +136391,7 @@
- linux-2.6 <not-affected> (Introduced in 3.8)
- linux 3.9.6-1
[wheezy] - linux <not-affected> (Introduced in 3.8)
-CVE-2013-4246 [FSFS repository corruption due to editing packed revision properties]
- RESERVED
+CVE-2013-4246 (libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might ...)
- subversion <not-affected> (only affects 1.8.0 and 1.8.1)
CVE-2013-4245 [Arbitrary code execution due to insecure CWD Python module load]
RESERVED
@@ -150427,8 +150424,8 @@
- sanlock 2.2-2 (bug #696424)
CVE-2012-5637
REJECTED
-CVE-2012-5636
- RESERVED
+CVE-2012-5636 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before ...)
+ TODO: check
CVE-2012-5635 (The GlusterFS functionality in Red Hat Storage Management Console 2.0, ...)
- glusterfs <unfixed> (unimportant; bug #704944)
NOTE: Neutralised by kernel hardening
@@ -151166,10 +151163,10 @@
- libav 6:0.8.5-1 (bug #694483)
NOTE: http://technet.microsoft.com/en-us/security/msvr/msvr12-017
NOTE: upstream needs a proper sample to reproduce the issue
-CVE-2012-5358
- RESERVED
-CVE-2012-5357
- RESERVED
+CVE-2012-5358 (The XSLTCompiledTransform function in Ektron Content Management System ...)
+ TODO: check
+CVE-2012-5357 (Ektron Content Management System (CMS) before 8.02 SP5 uses the ...)
+ TODO: check
CVE-2012-5356 (The apt-add-repository tool in Ubuntu Software Properties 0.75.x ...)
NOT-FOR-US: apt-add-repository
CVE-2012-5355 (welcome.py in xdiagnose before 2.5.2ubuntu0.1 allows local users to ...)
@@ -153765,8 +153762,8 @@
- 389-ds-base 1.2.11.15-1 (bug #688942)
NOTE: Upstream ticket https://fedorahosted.org/389/ticket/340
NOTE: Upstream patch http://git.fedorahosted.org/cgit/389/ds.git/commit/?id=5beb93d42efb807838c09c5fab898876876f8d09
-CVE-2012-4449
- RESERVED
+CVE-2012-4449 (Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 ...)
+ TODO: check
CVE-2012-4448 (Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php ...)
- wordpress 3.5.1+dfsg-2 (low; bug #689031)
[squeeze] - wordpress <no-dsa> (Minor issue)
@@ -162864,8 +162861,7 @@
- mysql-5.5 5.5.22 (bug #675872)
- cyassl <not-affected> (Fixed before initial upload to archive)
NOTE: limited information about issue, only a video of exploit taking place
-CVE-2012-0881 [xerces-j2 hash table collisions CPU usage DoS]
- RESERVED
+CVE-2012-0881 (Apache Xerces2 Java allows remote attackers to cause a denial of ...)
- libxerces2-java <unfixed> (unimportant)
NOTE: Negligable impact for Xerces
CVE-2012-0880 (Apache Xerces-C++ allows remote attackers to cause a denial of service ...)
@@ -204473,10 +204469,10 @@
RESERVED
CVE-2009-1199
RESERVED
-CVE-2009-1198
- RESERVED
-CVE-2009-1197
- RESERVED
+CVE-2009-1198 (Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 ...)
+ TODO: check
+CVE-2009-1197 (Apache jUDDI before 2.0 allows attackers to spoof entries in log files ...)
+ TODO: check
CVE-2009-1196 (The directory-services functionality in the scheduler in CUPS 1.1.17 ...)
- cups 1.1.99.b1.r4748-1
- cupsys <removed>
More information about the Secure-testing-commits
mailing list