[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Tue Feb 27 21:10:32 UTC 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0b80c7c8 by security tracker role at 2018-02-27T21:10:19+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,11 +1,19 @@
-CVE-2018-7542 [XSA-256: x86 PVH guest without LAPIC may DoS the host]
+CVE-2018-7544
+ RESERVED
+CVE-2018-7543
+ RESERVED
+CVE-2018-7539
+ RESERVED
+CVE-2018-7538
+ RESERVED
+CVE-2018-7542 (An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH ...)
- xen <unfixed>
[jessie] - xen <not-affected> (Vulnerable code introduced later)
NOTE: https://xenbits.xen.org/xsa/advisory-256.html
-CVE-2018-7541 [XSA-255: grant table v2 -> v1 transition may crash Xen]
+CVE-2018-7541 (An issue was discovered in Xen through 4.10.x allowing guest OS users ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-255.html
-CVE-2018-7540 [XSA-252: DoS via non-preemptable L3/L4 pagetable freeing]
+CVE-2018-7540 (An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-252.html
CVE-2018-XXXX [SSPSA 201802-01: Check for supported signature algorithms when casting a key]
@@ -102,11 +110,11 @@ CVE-2018-7494
RESERVED
CVE-2018-7493
RESERVED
-CVE-2017-18204 [ocfs2: should wait dio before inode lock in ocfs2_setattr()]
+CVE-2017-18204 (The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel ...)
- linux 4.14.2-1
[stretch] - linux 4.9.65-1
NOTE: Fixed by: https://git.kernel.org/linus/28f5a8a7c033cbf3e32277f4cc9c6afd74f05300
-CVE-2017-18203 [dm: fix race between dm_get_from_kobject() and __dm_destroy()]
+CVE-2017-18203 (The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel ...)
- linux 4.14.7-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/b9a41d21dceadf8104812626ef85dc56ee8a60ed
@@ -961,12 +969,14 @@ CVE-2015-9255 (Datto ALTO and SIRIS devices allow remote attackers to obtain sen
CVE-2015-9254 (Datto ALTO and SIRIS devices have a default VNC password. ...)
NOT-FOR-US: Datto ALTO and SIRIS devices
CVE-2018-7254 (The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack ...)
+ {DSA-4125-1}
- wavpack <unfixed> (bug #889274)
[jessie] - wavpack <not-affected> (Vulnerable code not present)
[wheezy] - wavpack <not-affected> (Vulnerable code not present)
NOTE: https://github.com/dbry/WavPack/issues/26
NOTE: https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e
CVE-2018-7253 (The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of ...)
+ {DSA-4125-1}
- wavpack <unfixed> (bug #889559)
[jessie] - wavpack <not-affected> (Vulnerable code not present)
[wheezy] - wavpack <not-affected> (Vulnerable code not present)
@@ -1181,8 +1191,8 @@ CVE-2018-1000068 (An improper input validation vulnerability exists in Jenkins v
- jenkins <removed>
CVE-2018-1000067 (An improper authorization vulnerability exists in Jenkins versions ...)
- jenkins <removed>
-CVE-2018-7172
- RESERVED
+CVE-2018-7172 (In index.php in WonderCMS 2.4.0, remote attackers can delete arbitrary ...)
+ TODO: check
CVE-2018-7171
RESERVED
CVE-2018-7170
@@ -2187,6 +2197,7 @@ CVE-2018-6761
CVE-2018-6760
RESERVED
CVE-2018-6767 (A stack-based buffer over-read in the ParseRiffHeaderConfig function of ...)
+ {DSA-4125-1}
- wavpack <unfixed> (bug #889276)
[jessie] - wavpack <not-affected> (Vulnerable code introduced later in 4.80.0)
[wheezy] - wavpack <not-affected> (Vulnerable code introduced later in 4.80.0)
@@ -2913,14 +2924,14 @@ CVE-2018-6536 (An issue was discovered in Icinga 2.x through 2.8.1. The daemon c
[stretch] - icinga2 <no-dsa> (Minor issue)
[jessie] - icinga2 <no-dsa> (Minor issue)
NOTE: https://github.com/Icinga/icinga2/issues/5991
-CVE-2018-6535
- RESERVED
-CVE-2018-6534
- RESERVED
-CVE-2018-6533
- RESERVED
-CVE-2018-6532
- RESERVED
+CVE-2018-6535 (An issue was discovered in Icinga 2.x through 2.8.1. The lack of a ...)
+ TODO: check
+CVE-2018-6534 (An issue was discovered in Icinga 2.x through 2.8.1. By sending ...)
+ TODO: check
+CVE-2018-6533 (An issue was discovered in Icinga 2.x through 2.8.1. By editing the ...)
+ TODO: check
+CVE-2018-6532 (An issue was discovered in Icinga 2.x through 2.8.1. By sending ...)
+ TODO: check
CVE-2018-6531
RESERVED
CVE-2018-6530
@@ -3143,8 +3154,8 @@ CVE-2018-6483
RESERVED
CVE-2018-6482
RESERVED
-CVE-2018-6481
- RESERVED
+CVE-2018-6481 (A buffer overflow vulnerability in the control protocol of Disk Savvy ...)
+ TODO: check
CVE-2018-6480 (A type confusion issue was discovered in CCN-lite 2, leading to a ...)
NOT-FOR-US: CCN-lite 2
CVE-2018-6479 (An issue was discovered on Netwave IP Camera devices. An ...)
@@ -15626,8 +15637,8 @@ CVE-2018-1427
RESERVED
CVE-2018-1426
RESERVED
-CVE-2018-1425
- RESERVED
+CVE-2018-1425 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses weaker ...)
+ TODO: check
CVE-2018-1424
RESERVED
CVE-2018-1423
@@ -15644,8 +15655,8 @@ CVE-2018-1418
RESERVED
CVE-2018-1417 (Under certain circumstances, a flaw in the J9 JVM (IBM Runtimes for ...)
NOT-FOR-US: IBM Runtimes for Java Technology
-CVE-2018-1416
- RESERVED
+CVE-2018-1416 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to ...)
+ TODO: check
CVE-2018-1415 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. ...)
NOT-FOR-US: IBM Maximo Asset Management
CVE-2018-1414 (IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to SQL ...)
@@ -15678,8 +15689,8 @@ CVE-2018-1401 (IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-sit
NOT-FOR-US: IBM WebSphere Portal
CVE-2018-1400
RESERVED
-CVE-2018-1399
- RESERVED
+CVE-2018-1399 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5 and 5.0 is ...)
+ TODO: check
CVE-2018-1398
RESERVED
CVE-2018-1397
@@ -15732,8 +15743,8 @@ CVE-2018-1374
RESERVED
CVE-2018-1373
RESERVED
-CVE-2018-1372
- RESERVED
+CVE-2018-1372 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not ...)
+ TODO: check
CVE-2018-1371
RESERVED
CVE-2018-1370
@@ -16406,8 +16417,8 @@ CVE-2017-17479 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered
- openjpeg2 <unfixed> (unimportant)
NOTE: https://github.com/uclouvain/openjpeg/issues/1044
NOTE: Debian packaging does not build JPWL, has BUILD_JPWL:BOOL=OFF
-CVE-2017-17478
- RESERVED
+CVE-2017-17478 (An XSS issue was discovered in Designer Studio in Pegasystems Pega ...)
+ TODO: check
CVE-2017-17477
RESERVED
CVE-2017-17475 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...)
@@ -17304,7 +17315,8 @@ CVE-2018-1059
RESERVED
CVE-2018-1058
RESERVED
-CVE-2018-1057 (Security implications of using the default search_path and public schema)
+CVE-2018-1057
+ RESERVED
- postgresql-10 10.3-1
- postgresql-9.6 <removed>
- postgresql-9.4 <removed>
@@ -19300,8 +19312,8 @@ CVE-2018-0491
RESERVED
CVE-2018-0490
RESERVED
-CVE-2018-0489 [Shibboleth SP software vulnerable to additional data forgery flaws]
- RESERVED
+CVE-2018-0489 (Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service ...)
+ {DSA-4126-1}
- xmltooling <unfixed>
NOTE: https://shibboleth.net/community/advisories/secadv_20180227.txt
NOTE: https://issues.shibboleth.net/jira/browse/CPPXT-128
@@ -21335,14 +21347,14 @@ CVE-2017-16772
RESERVED
CVE-2017-16771
RESERVED
-CVE-2017-16770
- RESERVED
+CVE-2017-16770 (File and directory information exposure vulnerability in ...)
+ TODO: check
CVE-2017-16769 (Exposure of private information vulnerability in Photo Viewer in ...)
TODO: check
CVE-2017-16768 (Cross-site scripting (XSS) vulnerability in User Policy editor in ...)
NOT-FOR-US: Synology MailPlus Server
-CVE-2017-16767
- RESERVED
+CVE-2017-16767 (Cross-site scripting (XSS) vulnerability in User Profile in Synology ...)
+ TODO: check
CVE-2017-16766 (An improper access control vulnerability in synodsmnotify in Synology ...)
NOT-FOR-US: Synology DiskStation Manager
CVE-2017-16765 (XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi. ...)
@@ -24372,11 +24384,9 @@ CVE-2017-15695
RESERVED
CVE-2017-15694
RESERVED
-CVE-2017-15693
- RESERVED
+CVE-2017-15693 (In Apache Geode before v1.4.0, the Geode server stores application ...)
NOT-FOR-US: Apache Geode
-CVE-2017-15692
- RESERVED
+CVE-2017-15692 (In Apache Geode before v1.4.0, the TcpServer within the Geode locator ...)
NOT-FOR-US: Apache Geode
CVE-2017-15691
RESERVED
@@ -33795,7 +33805,7 @@ CVE-2017-12631 (Apache CXF Fediz ships with a number of container-specific plugi
CVE-2017-12630 (In Apache Drill 1.11.0 and earlier when submitting form from Query ...)
NOT-FOR-US: Apache Drill
CVE-2017-12629 (Remote code execution occurs in Apache Solr before 7.1 with Apache ...)
- {DLA-1254-1}
+ {DSA-4124-1 DLA-1254-1}
- lucene-solr 3.6.2+dfsg-11
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1501529
NOTE: http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html
@@ -35311,7 +35321,7 @@ CVE-2017-12093
CVE-2017-12092
RESERVED
CVE-2017-12091
- RESERVED
+ REJECTED
CVE-2017-12090
RESERVED
CVE-2017-12089
@@ -38830,9 +38840,9 @@ CVE-2017-10941 (This vulnerability allows remote attackers to execute arbitrary
CVE-2017-10940 (This vulnerability allows remote attackers to execute arbitrary code ...)
NOT-FOR-US: Joyent
CVE-2017-10939
- RESERVED
+ REJECTED
CVE-2017-10938
- RESERVED
+ REJECTED
CVE-2017-10937
RESERVED
CVE-2017-10936
@@ -48716,8 +48726,8 @@ CVE-2017-7673 (Apache OpenMeetings 1.0.0 uses not very strong cryptographic stor
CVE-2017-7672 (If an application allows enter an URL in a form field and built-in ...)
- libstruts1.2-java <not-affected> (Vulnerable code not present)
NOTE: Issue is specific to Struts 2.x.
-CVE-2017-7671
- RESERVED
+CVE-2017-7671 (There is a DOS attack vulnerability in Apache Traffic Server (ATS) ...)
+ TODO: check
CVE-2017-7670 (The Traffic Router component of the incubating Apache Traffic Control ...)
NOT-FOR-US: Apache Traffic Control
CVE-2017-7669 (In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the ...)
@@ -55291,8 +55301,8 @@ CVE-2017-5661 (In Apache FOP before 2.2, files lying on the filesystem of the se
NOTE: Upstream bug: https://issues.apache.org/jira/browse/FOP-2668
NOTE: Fixed by: http://svn.apache.org/r1769967
NOTE: Fixed by: http://svn.apache.org/r1769968 (fix for Java 6)
-CVE-2017-5660
- RESERVED
+CVE-2017-5660 (There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and ...)
+ TODO: check
CVE-2017-5659 (Apache Traffic Server before 6.2.1 generates a coredump when there is ...)
- trafficserver 7.0.0-1
[wheezy] - trafficserver <not-affected> (PoC doesn't crash the server, fix too hard to backport)
@@ -62970,7 +62980,7 @@ CVE-2017-3165 (In Apache Brooklyn before 0.10.0, the REST server is vulnerable t
CVE-2017-3164
RESERVED
CVE-2017-3163 (When using the Index Replication feature, Apache Solr nodes can pull ...)
- {DLA-1046-1}
+ {DSA-4124-1 DLA-1046-1}
- lucene-solr 3.6.2+dfsg-11 (bug #867712)
NOTE: https://issues.apache.org/jira/browse/SOLR-10031
NOTE: https://github.com/apache/lucene-solr/commit/ae789c252687dc8a18bfdb677f2e6cd14570e4db
@@ -94079,6 +94089,7 @@ CVE-2016-XXXX [exec functions ignore length but look for NULL termination]
NOTE: https://git.php.net/?p=php-src.git;a=commit;h=c527549e899bf211aac7d8ab5ceb1bdfedf07f14
NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3
CVE-2016-10712 (In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of ...)
+ {DLA-818-1}
- php5 5.6.18+dfsg-1
[jessie] - php5 5.6.19+dfsg-0+deb8u1
- php5.6 5.6.18+dfsg-1
@@ -180237,8 +180248,8 @@ CVE-2012-3538 (Pulp in Red Hat CloudForms before 1.1 logs administrative passwor
CVE-2012-3537 (The Crowbar Ohai plugin ...)
NOT-FOR-US: crowbar ohai plugin
NOTE: https://github.com/SUSE-Cloud/barclamp-deployer/commit/b6454268a067fc77ff5de82057b5b53b3cc38b87
-CVE-2012-3536
- RESERVED
+CVE-2012-3536 (Two XSS vulnerabilities were fixed in message list and view in the ...)
+ TODO: check
CVE-2012-3535 (Heap-based buffer overflow in OpenJPEG 1.5.0 and earlier allows remote ...)
{DSA-2629-1}
- openjpeg 1.3+dfsg-4.6 (bug #685970)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b80c7c85a480dc9a27807d9e141f361c018394a
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b80c7c85a480dc9a27807d9e141f361c018394a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180227/99bc6fb3/attachment.html>
More information about the Secure-testing-commits
mailing list