[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

Thu Apr 12 20:10:26 UTC 2018

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9960e818 by security tracker role at 2018-04-12T20:10:18+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,13 +1,41 @@
-CVE-2018-10074 [clk: hisilicon: hi3600: Fix potential NULL dereference in hi3660_stub_clk_probe()]
+CVE-2018-10076
+	RESERVED
+CVE-2018-10075
+	RESERVED
+CVE-2018-10073 (joyplus-cms 1.6.0 has XSS in manager/admin_vod.php via the keyword ...)
+	TODO: check
+CVE-2018-10072 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...)
+	TODO: check
+CVE-2018-10071 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...)
+	TODO: check
+CVE-2018-10070
+	RESERVED
+CVE-2018-10069
+	RESERVED
+CVE-2018-10068 (The jDownloads extension before 3.2.59 for Joomla! has XSS. ...)
+	TODO: check
+CVE-2018-10067
+	RESERVED
+CVE-2018-10066
+	RESERVED
+CVE-2018-10065
+	RESERVED
+CVE-2018-10064
+	RESERVED
+CVE-2018-10063 (The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to ...)
+	TODO: check
+CVE-2018-10062
+	RESERVED
+CVE-2018-10074 (The hi3660_stub_clk_probe function in ...)
 	- linux <unfixed>
 	NOTE: Fixed by: https://git.kernel.org/linus/9903e41ae1f5d50c93f268ca3304d4d7c64b9311 (4.16-rc7)
-CVE-2018-10061 [XSS because making certain htmlspecialchars calls without the ENT_QUOTES flag]
+CVE-2018-10061 (Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars ...)
 	- cacti 1.1.37+ds1-1
 	NOTE: https://github.com/Cacti/cacti/issues/1457
-CVE-2018-10060 [XSS related issue to use of the sanitize_uri function in lib/functions.php]
+CVE-2018-10060 (Cacti before 1.1.37 has XSS because it does not properly reject ...)
 	- cacti 1.1.37+ds1-1
 	NOTE: https://github.com/Cacti/cacti/issues/1457
-CVE-2018-10059 [XSS related issue in get_current_page]
+CVE-2018-10059 (Cacti before 1.1.37 has XSS because the get_current_page function in ...)
 	- cacti 1.1.37+ds1-1
 	NOTE: https://github.com/Cacti/cacti/issues/1457
 CVE-2018-10058
@@ -486,10 +514,10 @@ CVE-2018-9845
 	- etherpad-lite <itp> (bug #576998)
 CVE-2018-9844 (The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress ...)
 	NOT-FOR-US: Iptanus WordPress File Upload plugin for WordPress
-CVE-2018-9843
-	RESERVED
-CVE-2018-9842
-	RESERVED
+CVE-2018-9843 (The REST API in CyberArk Password Vault Web Access before 9.9.5 and ...)
+	TODO: check
+CVE-2018-9842 (CyberArk Password Vault before 9.7 allows remote attackers to obtain ...)
+	TODO: check
 CVE-2018-9841 (The export function in libavfilter/vf_signature.c in FFmpeg through ...)
 	- ffmpeg <unfixed> (low)
 	[stretch] - ffmpeg <postponed> (Can wait until the next ffmpeg 3.2.x release)
@@ -2053,8 +2081,8 @@ CVE-2018-9157 (** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera
 	NOT-FOR-US: AXIS
 CVE-2018-9156 (** DISPUTED ** An issue was discovered on AXIS P1354 (IP camera) ...)
 	NOT-FOR-US: AXIS
-CVE-2018-9155
-	RESERVED
+CVE-2018-9155 (Cross-site scripting (XSS) vulnerability in Open-AudIT Professional ...)
+	TODO: check
 CVE-2018-9154
 	RESERVED
 CVE-2018-9153
@@ -2157,8 +2185,8 @@ CVE-2018-9120 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a
 	NOT-FOR-US: Crea8social
 CVE-2018-9119 (An attacker with physical access to a BrilliantTS FUZE card (MCU ...)
 	NOT-FOR-US: BrilliantTS FUZE card
-CVE-2018-9118
-	RESERVED
+CVE-2018-9118 (exports/download.php in the 99 Robots WP Background Takeover ...)
+	TODO: check
 CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a remote ...)
 	NOT-FOR-US: WireMock
 CVE-2018-9116 (An XXE vulnerability within WireMock before 2.16.0 allows a remote ...)
@@ -16009,8 +16037,8 @@ CVE-2018-3891
 	RESERVED
 CVE-2018-3890
 	RESERVED
-CVE-2018-3889
-	RESERVED
+CVE-2018-3889 (A specially crafted PCX image processed via the application can lead ...)
+	TODO: check
 CVE-2018-3888 (A memory corruption vulnerability exists in the PCX-parsing ...)
 	NOT-FOR-US: Computerinsel Photoline
 CVE-2018-3887 (A memory corruption vulnerability exists in the PCX-parsing ...)
@@ -16051,8 +16079,8 @@ CVE-2018-3870
 	RESERVED
 CVE-2018-3869
 	RESERVED
-CVE-2018-3868
-	RESERVED
+CVE-2018-3868 (A specially crafted TIFF image processed via the application can lead ...)
+	TODO: check
 CVE-2018-3867
 	RESERVED
 CVE-2018-3866
@@ -16063,10 +16091,10 @@ CVE-2018-3864
 	RESERVED
 CVE-2018-3863
 	RESERVED
-CVE-2018-3862
-	RESERVED
-CVE-2018-3861
-	RESERVED
+CVE-2018-3862 (A specially crafted TIFF image processed via the application can lead ...)
+	TODO: check
+CVE-2018-3861 (A specially crafted TIFF image processed via the application can lead ...)
+	TODO: check
 CVE-2018-3860
 	RESERVED
 CVE-2018-3859
@@ -24007,16 +24035,14 @@ CVE-2018-1088
 	RESERVED
 CVE-2018-1087
 	RESERVED
-CVE-2018-1086 [Debug parameter removal bypass, allowing information disclosure]
-	RESERVED
+CVE-2018-1086 (pcs before versions 0.9.164 and 0.10 is vulnerable to a debug ...)
 	{DSA-4169-1}
 	- pcs <unfixed> (bug #895313)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/04/09/2
 CVE-2018-1085
 	RESERVED
 	NOT-FOR-US: openshift-ansible
-CVE-2018-1084 [Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3() function]
-	RESERVED
+CVE-2018-1084 (corosync before version 2.4.4 is vulnerable to an integer overflow in ...)
 	- corosync <unfixed>
 	[jessie] - corosync <not-affected> (Vulnerable code introduced later)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/04/12/2
@@ -24038,8 +24064,7 @@ CVE-2018-1080 [Mishandled ACL configuration in AAclAuthz.java reverses rules tha
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1556657
 	NOTE: https://pagure.io/freeipa/issue/7453
 	NOTE: https://review.gerrithub.io/#/c/404435/
-CVE-2018-1079 [Privilege escalation via authorized user malicious REST call]
-	RESERVED
+CVE-2018-1079 (pcs before version 0.9.164 and 0.10 is vulnerable to a privilege ...)
 	- pcs <unfixed> (bug #895314)
 	[stretch] - pcs <not-affected> (Vulnerable code introduced in 0.9.157)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/04/09/2
@@ -42170,7 +42195,7 @@ CVE-2017-12134 (The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c
 	- linux 4.12.12-1
 	NOTE: https://xenbits.xen.org/xsa/advisory-229.html
 	NOTE: https://git.kernel.org/linus/462cdace790ac2ed6aad1b19c9c0af0143b6aab0 (v4.13-rc6)
-CVE-2017-12133 (The DNS stub resolver in the GNU C Library (glibc) before version ...)
+CVE-2017-12133 (Use-after-free vulnerability in the clntudp_call function in ...)
 	- glibc 2.24-15 (bug #870648)
 	[stretch] - glibc 2.24-11+deb9u2
 	[jessie] - glibc <no-dsa> (Minor issue)
@@ -48817,7 +48842,7 @@ CVE-2017-9778 (GNU Debugger (GDB) 8.0 and earlier fails to detect a negative len
 CVE-2017-9777
 	RESERVED
 CVE-2017-9776 (Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in ...)
-	{DSA-4079-1 DLA-1074-1}
+	{DSA-4079-2 DSA-4079-1 DLA-1074-1}
 	- poppler 0.57.0-2 (bug #865679)
 	NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101541
 	NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=a3a98a6d83dfbf49f565f5aa2d7c07153a7f62fc
@@ -58424,8 +58449,8 @@ CVE-2017-6912
 	RESERVED
 CVE-2017-6911 (USB Pratirodh is prone to sensitive information disclosure. It stores ...)
 	NOT-FOR-US: USB Pratirodh
-CVE-2017-6910
-	RESERVED
+CVE-2017-6910 (The HTTP and WebSocket engine components in the server in Kaazing ...)
+	TODO: check
 CVE-2017-6909 (An issue was discovered in Shimmie <= 2.5.1. The vulnerability exists ...)
 	NOT-FOR-US: Shimmie
 CVE-2017-6908 (An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability ...)
@@ -73472,8 +73497,8 @@ CVE-2017-1792
 	RESERVED
 CVE-2017-1791
 	RESERVED
-CVE-2017-1790
-	RESERVED
+CVE-2017-1790 (IBM DOORS Next Generation (DNG/RRC) 5.0, 5.0.1, 5.0.2, and 6.0 through ...)
+	TODO: check
 CVE-2017-1789 (IBM Tivoli Monitoring V6 6.2.3 and 6.3.0 could allow an ...)
 	NOT-FOR-US: IBM
 CVE-2017-1788 (IBM WebSphere Application Server 9 installations using Form Login ...)
@@ -120258,8 +120283,7 @@ CVE-2015-4559 (Cross-site scripting (XSS) vulnerability in the product deploymen
 	NOT-FOR-US: Intel McAfee ePolicy Orchestrator
 CVE-2015-4558
 	RESERVED
-CVE-2015-4557
-	RESERVED
+CVE-2015-4557 (Cross-site scripting (XSS) vulnerability in the ...)
 	NOT-FOR-US: WordPress plugin nextend-twitter-connect
 CVE-2015-4555 (Buffer overflow in the HTTP administrative interface in TIBCO ...)
 	NOT-FOR-US: TIBCO
@@ -128612,8 +128636,7 @@ CVE-2015-1779 (The VNC websocket frame decoder in QEMU allows remote attackers t
 	NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=2cdb5e142fb93
 CVE-2015-1778 (The custom authentication realm used by karaf-tomcat's "opendaylight" ...)
 	NOT-FOR-US: OpenDaylight
-CVE-2015-1777 [rhnreg_ks fails to properly validate SSL/TLS certificates]
-	RESERVED
+CVE-2015-1777 (rhnreg_ks in Red Hat Network Client Tools (aka rhn-client-tools) on ...)
 	- rhn-client-tools <unfixed> (unimportant; bug #779817)
 	NOTE: No security impact, this tool performs a registration at Red Hat Network,
 	NOTE: which would fail, but no practical security impact
@@ -142007,8 +142030,7 @@ CVE-2014-6635 (Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.0 al
 	NOT-FOR-US: Exponent CMS
 CVE-2014-6634
 	RESERVED
-CVE-2014-6633
-	RESERVED
+CVE-2014-6633 (The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x ...)
 	{DSA-3043-1 DLA-70-1}
 	- tryton-server 3.2.3-1
 	NOTE: https://bugs.tryton.org/issue4155
@@ -142929,8 +142951,8 @@ CVE-2014-6313 (Cross-site scripting (XSS) vulnerability in the WooCommerce plugi
 	NOT-FOR-US: WordPress plugin WooCommerce
 CVE-2014-6312 (Cross-site request forgery (CSRF) vulnerability in the Login Widget ...)
 	NOT-FOR-US: Login Widget With Shortcode (login-sidebar-widget) plugin for WordPress
-CVE-2014-6309
-	RESERVED
+CVE-2014-6309 (The HTTP and WebSocket engine components in the server in Kaazing ...)
+	TODO: check
 CVE-2014-6308 (Directory traversal vulnerability in OSClass before 3.4.2 allows ...)
 	NOT-FOR-US: OsClass
 CVE-2014-6307



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9960e818a775aea3a5d8b4f5d3bc9adbbd45cdcc

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9960e818a775aea3a5d8b4f5d3bc9adbbd45cdcc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180412/4e482671/attachment.html>
