[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Fri Apr 6 20:10:26 UTC 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a4a617b6 by security tracker role at 2018-04-06T20:10:18+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,5 @@
+CVE-2018-9838 (The caml_ba_deserialize function in byterun/bigarray.c in the standard ...)
+	TODO: check
 CVE-2018-XXXX [wordpress: Don't treat localhost as same host by default]
 	- wordpress <unfixed> (bug #895034)
 	NOTE: https://core.trac.wordpress.org/changeset/42894
@@ -1038,25 +1040,25 @@ CVE-2018-9326
 CVE-2018-9325
 	RESERVED
 CVE-2018-9324
-	RESERVED
+	REJECTED
 CVE-2018-9323
-	RESERVED
+	REJECTED
 CVE-2018-9322
 	RESERVED
 CVE-2018-9321
-	RESERVED
+	REJECTED
 CVE-2018-9320
 	RESERVED
 CVE-2018-9319
-	RESERVED
+	REJECTED
 CVE-2018-9318
 	RESERVED
 CVE-2018-9317
-	RESERVED
+	REJECTED
 CVE-2018-9316
-	RESERVED
+	REJECTED
 CVE-2018-9315
-	RESERVED
+	REJECTED
 CVE-2018-9314
 	RESERVED
 CVE-2018-9313
@@ -4033,6 +4035,7 @@ CVE-2018-8090
 CVE-2018-8089
 	RESERVED
 CVE-2018-8088 (org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before ...)
+	{DLA-1342-1}
 	- libslf4j-java 1.7.25-3 (bug #893684)
 	NOTE: https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405
 	NOTE: https://jira.qos.ch/browse/SLF4J-430
@@ -5506,18 +5509,22 @@ CVE-2018-7556 (LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x befo
 CVE-2018-7555
 	RESERVED
 CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that leads to a ...)
+	{DLA-1340-1}
 	- sam2p <removed>
 	[jessie] - sam2p <ignored> (Consider removal in next point release)
 	NOTE: https://github.com/pts/sam2p/issues/29
 CVE-2018-7553 (There is a heap-based buffer overflow in the pcxLoadRaster function of ...)
+	{DLA-1340-1}
 	- sam2p <removed>
 	[jessie] - sam2p <ignored> (Consider removal in next point release)
 	NOTE: https://github.com/pts/sam2p/issues/32
 CVE-2018-7552 (There is an invalid free in Mapping::DoubleHash::clear in mapping.cpp ...)
+	{DLA-1340-1}
 	- sam2p <removed>
 	[jessie] - sam2p <ignored> (Consider removal in next point release)
 	NOTE: https://github.com/pts/sam2p/issues/30
 CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that leads to ...)
+	{DLA-1340-1}
 	- sam2p <removed>
 	[jessie] - sam2p <ignored> (Consider removal in next point release)
 	NOTE: https://github.com/pts/sam2p/issues/28
@@ -5665,8 +5672,8 @@ CVE-2018-7508 (A Cross-site Scripting issue was discovered in OSIsoft PI Web API
 	NOT-FOR-US: OSIsoft PI
 CVE-2018-7507
 	RESERVED
-CVE-2018-7506
-	RESERVED
+CVE-2018-7506 (The private key of the web server in Moxa MXview versions 2.8 and ...)
+	TODO: check
 CVE-2018-7505
 	RESERVED
 CVE-2018-7504 (A Protection Mechanism Failure issue was discovered in OSIsoft PI ...)
@@ -5729,6 +5736,7 @@ CVE-2018-7489 (FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5
 CVE-2018-7488
 	RESERVED
 CVE-2018-7487 (There is a heap-based buffer overflow in the LoadPCX function of ...)
+	{DLA-1340-1}
 	- sam2p <removed>
 	[jessie] - sam2p <ignored> (Consider removal in next point release)
 	NOTE: https://github.com/pts/sam2p/issues/18
@@ -8836,10 +8844,10 @@ CVE-2017-18100
 	RESERVED
 CVE-2017-18099
 	RESERVED
-CVE-2017-18098
-	RESERVED
-CVE-2017-18097
-	RESERVED
+CVE-2017-18098 (The searchrequest-xml resource in Atlassian Jira before version 7.6.1 ...)
+	TODO: check
+CVE-2017-18097 (The Trello board importer resource in Atlassian Jira before version ...)
+	TODO: check
 CVE-2017-18096 (The OAuth status rest resource in Atlassian Application Links before ...)
 	NOT-FOR-US: Atlassian Application Links
 CVE-2017-18095 (The SnippetRPCServiceImpl class in Atlassian Crucible before version ...)
@@ -22776,12 +22784,12 @@ CVE-2018-1274
 	RESERVED
 CVE-2018-1273
 	RESERVED
-CVE-2018-1272
-	RESERVED
-CVE-2018-1271
-	RESERVED
-CVE-2018-1270
-	RESERVED
+CVE-2018-1272 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior ...)
+	TODO: check
+CVE-2018-1271 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior ...)
+	TODO: check
+CVE-2018-1270 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior ...)
+	TODO: check
 CVE-2018-1269
 	RESERVED
 CVE-2018-1268
@@ -34550,6 +34558,7 @@ CVE-2017-14451
 	RESERVED
 CVE-2017-14450 [Simple DirectMedia Layer SDL2_Image LWZ Decompression Buffer Overflow Vulnerability]
 	RESERVED
+	{DLA-1341-1}
 	- libsdl2-image 2.0.3+dfsg1-1
 	- sdl-image1.2 1.2.12-8
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0499
@@ -34562,6 +34571,7 @@ CVE-2017-14449 [Simple DirectMedia Layer SDL2_image do_layer_surface Double-Free
 	NOTE: https://hg.libsdl.org/SDL_image/rev/d0142861559c
 CVE-2017-14448 [Simple DirectMedia Layer SDL2_image load_xcf_tile_rle Decompression Code Execution Vulnerability]
 	RESERVED
+	{DLA-1341-1}
 	- libsdl2-image 2.0.3+dfsg1-1
 	- sdl-image1.2 1.2.12-8
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0497
@@ -34578,18 +34588,21 @@ CVE-2017-14443
 	RESERVED
 CVE-2017-14442 [Simple DirectMedia Layer SDL2_image Image Palette Population Code Execution Vulnerability]
 	RESERVED
+	{DLA-1341-1}
 	- libsdl2-image 2.0.3+dfsg1-1
 	- sdl-image1.2 1.2.12-8
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0491
 	NOTE: https://hg.libsdl.org/SDL_image/rev/37445f6180a8
 CVE-2017-14441 [Simple DirectMedia Layer SDL2_image ICO Pitch Handling Code Execution Vulnerability]
 	RESERVED
+	{DLA-1341-1}
 	- libsdl2-image 2.0.3+dfsg1-1
 	- sdl-image1.2 1.2.12-8
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0490
 	NOTE: https://hg.libsdl.org/SDL_image/rev/a1e9b624ca10
 CVE-2017-14440 [Simple DirectMedia Layer SDL2_image ILBM CMAP Parsing Code Execution Vulnerability]
 	RESERVED
+	{DLA-1341-1}
 	- libsdl2-image 2.0.3+dfsg1-1
 	- sdl-image1.2 1.2.12-8
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489
@@ -41546,6 +41559,7 @@ CVE-2017-12123
 	RESERVED
 CVE-2017-12122 [Simple DirectMedia Layer SDL2_Image IMG_LoadLBM_RW Code Execution Vulnerability]
 	RESERVED
+	{DLA-1341-1}
 	- libsdl2-image 2.0.3+dfsg1-1
 	- sdl-image1.2 1.2.12-8
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0488
@@ -129185,7 +129199,7 @@ CVE-2015-1419 (Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remo
 	NOTE: Not a real security feature according the manpage and upstream
 CVE-2015-1418 (The do_ed_script function in pch.c in GNU patch through 2.7.6, and ...)
 	NOT-FOR-US: patch as used in FreeBSD specifically
-CVE-2018-1000156 [input validation vulnerability when processing patch files]
+CVE-2018-1000156 (GNU Patch version 2.7.6 contains an input validation vulnerability ...)
 	- patch 2.7.6-2 (bug #894993)
 	NOTE: Upstream bug: https://savannah.gnu.org/bugs/?53566
 	NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/
@@ -145120,8 +145134,8 @@ CVE-2014-5074 (Siemens SIMATIC S7-1500 CPU devices with firmware before 1.6 allo
 	NOT-FOR-US: Siemens SIMATIC S7-1500 CPU devices
 CVE-2014-5073 (vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 ...)
 	NOT-FOR-US: VMTurbo Operations Manager
-CVE-2014-5072
-	RESERVED
+CVE-2014-5072 (Cross-site request forgery (CSRF) vulnerability in WP Security Audit ...)
+	TODO: check
 CVE-2014-5071 (SQL injection vulnerability in the checkPassword function in ...)
 	NOT-FOR-US: Symmetricom
 CVE-2014-5070 (Symmetricom s350i 2.70.15 allows remote authenticated users to gain ...)
@@ -145207,8 +145221,8 @@ CVE-2014-5036 (The Storage Controller (SC) component in Eucalyptus 3.4.2 through
 	- eucalyptus <removed>
 CVE-2014-5035 (The Netconf (TCP) service in OpenDaylight 1.0 allows remote attackers ...)
 	NOT-FOR-US: Opendaylight
-CVE-2014-5034
-	RESERVED
+CVE-2014-5034 (Cross-site request forgery (CSRF) vulnerability in the Brute Force ...)
+	TODO: check
 CVE-2014-5023 (Repository.php in Gitter, as used in Gitlist, allows remote attackers ...)
 	- gitlist <itp> (bug #750368)
 CVE-2014-5018 (Incomplete blacklist vulnerability in the autoEscape function in ...)
@@ -149132,8 +149146,7 @@ CVE-2014-3541 (The Repositories component in Moodle through 2.3.11, 2.4.x before
 	NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616
 CVE-2014-3540
 	REJECTED
-CVE-2014-3539 [pickle.load of remotely supplied data with no authentication required]
-	RESERVED
+CVE-2014-3539 (base/oi/doa.py in the Rope library in CPython (aka Python) allows ...)
 	- rope 0.10.3-1 (bug #777525)
 	[jessie] - rope <no-dsa> (Minor issue)
 	[squeeze] - rope <no-dsa> (Minor issue)
@@ -152484,8 +152497,8 @@ CVE-2014-2361 (OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Module
 	NOT-FOR-US: OleumTech Wireless Gateway
 CVE-2014-2360 (OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules ...)
 	NOT-FOR-US: OleumTech Wireless Gateway
-CVE-2014-2359
-	RESERVED
+CVE-2014-2359 (OleumTech Wireless Sensor Network devices allow remote attackers to ...)
+	TODO: check
 CVE-2014-2358 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
 	NOT-FOR-US: Fox-IT Fox DataDiode
 CVE-2014-2357 (The GPT library in the Telegyr 8979 Master Protocol application in ...)
@@ -155890,8 +155903,7 @@ CVE-2014-1228
 	RESERVED
 CVE-2014-1227
 	RESERVED
-CVE-2014-1226
-	RESERVED
+CVE-2014-1226 (The pipe_init_terminal function in main.c in s3dvt allows local users ...)
 	- s3d 0.2.2-13 (unimportant)
 	NOTE: http://hmarco.org/bugs/CVE-2014-1226-s3dvt_0.2.2-root-shell.html
 	NOTE: Additional patch hunk applied in 0.2.2-11 (experimental) only
@@ -159791,8 +159803,7 @@ CVE-2013-6878
 	NOT-FOR-US: MijoSearch
 CVE-2013-6877 (Heap-based buffer overflow in RealNetworks RealPlayer before 17.0.4.61 ...)
 	NOT-FOR-US: RealPlayer
-CVE-2013-6876
-	RESERVED
+CVE-2013-6876 (The (1) pty_init_terminal and (2) pipe_init_terminal functions in ...)
 	- s3d 0.2.2-9 (unimportant)
 	NOTE: http://hmarco.org/bugs/s3dvt_0.2.2-root-shell.html
 	NOTE: Not running with elevated privileges in Debian packaging



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4a617b60955451d138ec501ce53ac1476718f37

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4a617b60955451d138ec501ce53ac1476718f37
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180406/9243eb94/attachment.html>

More information about the Secure-testing-commits mailing list