[Secure-testing-commits] r55985 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Thu Sep 21 21:10:15 UTC 2017
Author: sectracker
Date: 2017-09-21 21:10:14 +0000 (Thu, 21 Sep 2017)
New Revision: 55985
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-09-21 20:53:36 UTC (rev 55984)
+++ data/CVE/list 2017-09-21 21:10:14 UTC (rev 55985)
@@ -1,4 +1,42 @@
-CVE-2017-14650
+CVE-2017-14654
+ RESERVED
+CVE-2017-14653
+ RESERVED
+CVE-2017-14652 (SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the ...)
+ TODO: check
+CVE-2017-14651 (WSO2 Data Analytics Server 3.1.0 has XSS in ...)
+ TODO: check
+CVE-2017-14649 (ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does ...)
+ TODO: check
+CVE-2017-14648 (A global buffer overflow was discovered in the iteration_loop function ...)
+ TODO: check
+CVE-2017-14647 (A heap-based buffer overflow was discovered in ...)
+ TODO: check
+CVE-2017-14646 (The AP4_AvccAtom and AP4_HvccAtom classes in Bento4 version 1.5.0-617 ...)
+ TODO: check
+CVE-2017-14645 (A heap-based buffer over-read was discovered in ...)
+ TODO: check
+CVE-2017-14644 (A heap-based buffer overflow was discovered in the AP4_HdlrAtom class ...)
+ TODO: check
+CVE-2017-14643 (The AP4_HdlrAtom class in Core/Ap4HdlrAtom.cpp in Bento4 version ...)
+ TODO: check
+CVE-2017-14642 (A NULL pointer dereference was discovered in the AP4_HdlrAtom class in ...)
+ TODO: check
+CVE-2017-14641 (A NULL pointer dereference was discovered in the AP4_DataAtom class in ...)
+ TODO: check
+CVE-2017-14640 (A NULL pointer dereference was discovered in ...)
+ TODO: check
+CVE-2017-14639 (AP4_VisualSampleEntry::ReadFields in Core/Ap4SampleEntry.cpp in Bento4 ...)
+ TODO: check
+CVE-2017-14638 (AP4_AtomFactory::CreateAtomFromStream in Core/Ap4AtomFactory.cpp in ...)
+ TODO: check
+CVE-2017-14637
+ RESERVED
+CVE-2017-14636
+ RESERVED
+CVE-2017-14635 (In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before ...)
+ TODO: check
+CVE-2017-14650 (A Remote Code Execution vulnerability has been found in the Horde_Image ...)
- php-horde-image <unfixed> (bug #876400)
NOTE: https://marc.info/?l=horde-announce&m=150600299528079&w=2
NOTE: https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b
@@ -814,10 +852,10 @@
RESERVED
CVE-2017-14322
RESERVED
-CVE-2017-14321
- RESERVED
-CVE-2017-14320
- RESERVED
+CVE-2017-14321 (Multiple cross-site scripting (XSS) vulnerabilities in the ...)
+ TODO: check
+CVE-2017-14320 (Mirasvit Helpdesk MX before 1.5.3 might allow remote attackers to ...)
+ TODO: check
CVE-2017-14319 (A grant unmapping issue was discovered in Xen through 4.9.x. When ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-234.html
@@ -939,7 +977,7 @@
CVE-2015-9226 (Multiple SQL injection vulnerabilities in AlegroCart 1.2.8 allow ...)
NOT-FOR-US: AlegroCart
CVE-2017-14482 (GNU Emacs before 25.3 allows remote attackers to execute arbitrary code ...)
- {DSA-3975-1 DSA-3970-1}
+ {DSA-3975-1 DSA-3970-1 DLA-1101-1}
- emacs25 25.2+1-6 (bug #875447)
- emacs24 <removed> (bug #875448)
- emacs23 <removed> (bug #875449)
@@ -1005,10 +1043,10 @@
NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5402b6e0fcf8b694ae2af6a6652ebb8ce0ccf46
CVE-2017-14247 (SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) ...)
NOT-FOR-US: EyesOfNetwork (EON)
-CVE-2017-14246
- RESERVED
-CVE-2017-14245
- RESERVED
+CVE-2017-14246 (An out of bounds read in the function d2ulaw_array() in ulaw.c of ...)
+ TODO: check
+CVE-2017-14245 (An out of bounds read in the function d2alaw_array() in alaw.c of ...)
+ TODO: check
CVE-2017-14244 (An authentication bypass vulnerability on iBall Baton ADSL2+ Home ...)
NOT-FOR-US: iBall
CVE-2017-14243 (An authentication bypass vulnerability on UTStar WA3002G4 ADSL ...)
@@ -1246,8 +1284,7 @@
NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/493da54370aa
NOTE: http://www.openwall.com/lists/oss-security/2017/09/06/4
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/442/
-CVE-2017-14160
- RESERVED
+CVE-2017-14160 (The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 ...)
- libvorbis <unfixed>
NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/2
NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/3
@@ -1310,7 +1347,7 @@
NOTE: https://www.armis.com/blueborne/
NOTE: https://access.redhat.com/security/vulnerabilities/blueborne
CVE-2017-1000250 (All versions of the SDP server in BlueZ 5.46 and earlier are ...)
- {DSA-3972-1}
+ {DSA-3972-1 DLA-1103-1}
- bluez 5.46-1 (bug #875633)
NOTE: https://www.armis.com/blueborne/
NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=9e009647b14e810e06626dde7f1bb9ea3c375d09
@@ -4383,12 +4420,12 @@
NOTE: https://github.com/php/php-src/commit/1a23ebc1fff59bf480ca92963b36eba5c1b904c4
CVE-2017-12931
RESERVED
-CVE-2017-12930
- RESERVED
-CVE-2017-12929
- RESERVED
-CVE-2017-12928
- RESERVED
+CVE-2017-12930 (SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 ...)
+ TODO: check
+CVE-2017-12929 (Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 ...)
+ TODO: check
+CVE-2017-12928 (A hard-coded password of tecn0visi0n for the dlxuser account in ...)
+ TODO: check
CVE-2017-12926
RESERVED
CVE-2017-12918
@@ -4502,6 +4539,7 @@
CVE-2017-12884
RESERVED
CVE-2017-12883 (Buffer overflow in the regular expression parser in PERL before ...)
+ {DSA-3982-1}
- perl 5.26.0-8 (bug #875597)
[wheezy] - perl <not-affected> (Vulnerable code introduced later)
NOTE: https://rt.perl.org/Public/Bug/Display.html?id=131598 (not yet public)
@@ -5144,6 +5182,7 @@
CVE-2017-12838 (Cross-site request forgery (CSRF) vulnerability in NexusPHP 1.5 allows ...)
NOT-FOR-US: NexusPHP
CVE-2017-12837 (Heap-based buffer overflow in the regular expression compiler in PERL ...)
+ {DSA-3982-1}
- perl 5.26.0-8 (bug #875596)
[wheezy] - perl <not-affected> (Vulnerable code introduced after 5.14.4)
NOTE: https://rt.perl.org/Public/Bug/Display.html?id=131582 (not yet public)
@@ -6801,8 +6840,7 @@
RESERVED
CVE-2017-12171
RESERVED
-CVE-2017-12170 [Ignoring existing configuration after update due to packaging error]
- RESERVED
+CVE-2017-12170 (Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was ...)
- pure-ftpd <not-affected> (Fedora specific packaging error)
CVE-2017-12169
RESERVED
@@ -6855,8 +6893,7 @@
- linux 4.12.13-1
NOTE: Fixed by: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f (v4.14-rc1)
NOTE: https://www.spinics.net/lists/kvm/msg155414.html
-CVE-2017-12153 [null pointer dereference in nl80211_set_rekey_data()]
- RESERVED
+CVE-2017-12153 (A security flaw was discovered in the nl80211_set_rekey_data() function ...)
{DSA-3981-1 DLA-1099-1}
- linux 4.12.13-1
NOTE: https://marc.info/?t=150525503100001&r=1&w=2
@@ -10154,11 +10191,9 @@
RESERVED
CVE-2017-11042
RESERVED
-CVE-2017-11041
- RESERVED
+CVE-2017-11041 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-11040
- RESERVED
+CVE-2017-11040 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-11039
RESERVED
@@ -10234,26 +10269,19 @@
RESERVED
CVE-2017-11003
RESERVED
-CVE-2017-11002
- RESERVED
+CVE-2017-11002 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-11001
- RESERVED
+CVE-2017-11001 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-11000
- RESERVED
+CVE-2017-11000 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-10999
- RESERVED
+CVE-2017-10999 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-10998
- RESERVED
+CVE-2017-10998 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-10997
- RESERVED
+CVE-2017-10997 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-10996
- RESERVED
+CVE-2017-10996 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-10995 (The mng_get_long function in coders/png.c in ImageMagick 7.0.6-0 allows ...)
{DLA-1081-1}
@@ -11870,7 +11898,7 @@
CVE-2017-9799 (It was found that under some situations and configurations of Apache ...)
NOT-FOR-US: Apache Storm
CVE-2017-9798 (Apache httpd allows remote attackers to read secret data from process ...)
- {DSA-3980-1}
+ {DSA-3980-1 DLA-1102-1}
- apache2 <unfixed> (bug #876109)
NOTE: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
NOTE: https://github.com/hannob/optionsbleed
@@ -13666,11 +13694,9 @@
NOTE: https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02
NOTE: https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58
NOTE: https://github.com/eclipse/jetty.project/commit/2baa1abe4b1c380a30deacca1ed367466a1a62ea
-CVE-2017-9725
- RESERVED
+CVE-2017-9725 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-9724
- RESERVED
+CVE-2017-9724 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-9723
RESERVED
@@ -13678,8 +13704,7 @@
RESERVED
CVE-2017-9721
RESERVED
-CVE-2017-9720
- RESERVED
+CVE-2017-9720 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-9719
RESERVED
@@ -13770,11 +13795,9 @@
NOT-FOR-US: Google drivers for Android
CVE-2017-9678 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-9677
- RESERVED
+CVE-2017-9677 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-9676
- RESERVED
+CVE-2017-9676 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-9675 (On D-Link DIR-605L devices, firmware before 2.08UIBetaB01.bin allows an ...)
NOT-FOR-US: D-Link DIR-605L devices
@@ -17921,19 +17944,16 @@
NOTE: qemu issue without security implication per upstream
CVE-2017-8282 (XnView Classic for Windows Version 2.40 allows user-assisted remote ...)
NOT-FOR-US: XnView Classic for Windows
-CVE-2017-8281
- RESERVED
+CVE-2017-8281 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-8280
- RESERVED
+CVE-2017-8280 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-8279
RESERVED
-CVE-2017-8278
- RESERVED
+CVE-2017-8278 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-8277
- RESERVED
+CVE-2017-8277 (In all Qualcomm products with Android releases from CAF using the ...)
+ TODO: check
CVE-2017-8276
RESERVED
CVE-2017-8275
@@ -17984,18 +18004,15 @@
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-8252
RESERVED
-CVE-2017-8251
- RESERVED
+CVE-2017-8251 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
-CVE-2017-8250
- RESERVED
+CVE-2017-8250 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-8249
RESERVED
CVE-2017-8248 (A buffer overflow may occur in the processing of a downlink NAS ...)
NOT-FOR-US: Qualcomm Telephony
-CVE-2017-8247
- RESERVED
+CVE-2017-8247 (In all Qualcomm products with Android releases from CAF using the ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-8246 (In function msm_pcm_playback_close() in all Android releases from CAF ...)
- linux <not-affected> (Android-specific patch)
@@ -20292,8 +20309,7 @@
NOTE: https://pagure.io/389-ds-base/issue/49336
CVE-2017-7550
RESERVED
-CVE-2017-7549
- RESERVED
+CVE-2017-7549 (A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat ...)
NOT-FOR-US: instack-undercloud
CVE-2017-7548 (PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to ...)
{DSA-3936-1 DSA-3935-1}
@@ -20325,8 +20341,8 @@
NOTE: https://www.postgresql.org/about/news/1772/
CVE-2017-7545
RESERVED
-CVE-2017-7544
- RESERVED
+CVE-2017-7544 (libexif through 0.6.21 is vulnerable to out-of-bounds heap read ...)
+ TODO: check
CVE-2017-7543 [iptables not active after update]
RESERVED
- neutron <not-affected> (Specific to Red Hat packaging)
@@ -39139,7 +39155,7 @@
NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch
NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch
NOTE: Not considered a vulnerability per se, if this affects a terminal emulator it's a bug there
-CVE-2017-0898 (Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a leakage of its ...)
+CVE-2017-0898 (Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious ...)
- ruby2.3 <unfixed> (bug #875936)
- ruby2.1 <removed>
- ruby1.9.1 <removed>
@@ -71047,8 +71063,7 @@
- qemu-kvm <not-affected> (Vulnerable code not present)
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html
NOTE: http://www.openwall.com/lists/oss-security/2015/12/15/4
-CVE-2015-8559 [knife bootstrap leaks validator privkey into system logs]
- RESERVED
+CVE-2015-8559 (The knife bootstrap command in chef leaks the validator.pem private ...)
- chef <unfixed> (bug #809670)
[stretch] - chef <no-dsa> (Minor issue; workaround using validatorless bootstrapping)
[jessie] - chef <no-dsa> (Minor issue; workaround using validatorless bootstrapping)
@@ -81974,8 +81989,7 @@
NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1
CVE-2015-5285 (CRLF injection vulnerability in Kallithea before 0.3 allows remote ...)
- kallithea <itp> (bug #689573)
-CVE-2015-5284 [ipa-kra-install includes certificate and private key in world readable file]
- RESERVED
+CVE-2015-5284 (ipa-kra-install in FreeIPA before 4.2.2 puts the CA agent certificate ...)
- freeipa <not-affected> (Introduced in 4.2)
NOTE: https://fedorahosted.org/freeipa/ticket/5347
NOTE: Upstream commit: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=55a66ccba3e2181a50e7733b7476991975b7455f
@@ -83771,15 +83785,14 @@
NOTE: https://mantisbt.org/bugs/view.php?id=19873
CVE-2015-5057 (Cross-site scripting (XSS) vulnerability exists in the Wordpress admin ...)
NOT-FOR-US: WordPress plugin broken-link-checker
-CVE-2015-4707 (Cross-site scripting (XSS) vulnerability in IPython before 3.2. ...)
+CVE-2015-4707 (Cross-site scripting (XSS) vulnerability in IPython before 3.2 allows ...)
- ipython 2.4.1-1 (bug #789824)
[jessie] - ipython <no-dsa> (Minor issue)
[wheezy] - ipython <not-affected> (Problematic code introduced in rel-2.0.0)
[squeeze] - ipython <not-affected> (Problematic code introduced in rel-2.0.0)
NOTE: https://github.com/ipython/ipython/commit/1fcc9943c000ab553ebc029db99ecbd0536960d6
NOTE: http://www.openwall.com/lists/oss-security/2015/06/22/4
-CVE-2015-4706 [IPython XSS in JSON error responses -- /api/contents path]
- RESERVED
+CVE-2015-4706 (Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 ...)
- ipython <not-affected> (Only affects 3.x)
CVE-2015-4704 (Directory traversal vulnerability in the Download Zip Attachments ...)
NOT-FOR-US: WordPress plugin download-zip-attachments
@@ -85964,8 +85977,7 @@
RESERVED
CVE-2015-3888
RESERVED
-CVE-2015-3887 [current path as the first directory for the library search path]
- RESERVED
+CVE-2015-3887 (Untrusted search path vulnerability in ProxyChains-NG before 4.9 ...)
NOT-FOR-US: proxychains-ng
NOTE: proxychains does not contain the vulnerable code
CVE-2015-3884 (Unrestricted file upload vulnerability in the (1) myAccount, (2) ...)
@@ -87597,8 +87609,8 @@
NOT-FOR-US: Wordpress plugin
CVE-2015-3298
RESERVED
-CVE-2015-3296
- RESERVED
+CVE-2015-3296 (Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before ...)
+ TODO: check
CVE-2015-3295 (markdown-it before 4.1.0 does not block data: URLs. ...)
- ruby-rails-assets-markdown-it 4.2.1-1
CVE-2015-3294 (The tcp_request function in Dnsmasq before 2.73rc4 does not properly ...)
@@ -94554,8 +94566,7 @@
RESERVED
CVE-2015-1188 (The certificate verification functions in the HNDS service in Swisscom ...)
NOT-FOR-US: Swisscom Centro Grande DSL router
-CVE-2015-1187
- RESERVED
+CVE-2015-1187 (The ping tool in multiple D-Link and TRENDnet devices allow remote ...)
NOT-FOR-US: D-Link
CVE-2015-1186
RESERVED
@@ -99263,8 +99274,7 @@
NOTE: https://github.com/libuv/libuv/pull/215
CVE-2015-0277 (The Service Provider (SP) in PicketLink before 2.7.0 does not ensure ...)
NOT-FOR-US: PicketLink
-CVE-2015-0276
- RESERVED
+CVE-2015-0276 (Cross-site request forgery (CSRF) vulnerability in Kallithea before ...)
- kallithea <itp> (bug #689573)
CVE-2015-0275 (The ext4_zero_range function in fs/ext4/extents.c in the Linux kernel ...)
- linux 3.16.7-ckt9-1
More information about the Secure-testing-commits
mailing list