[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Mon Jan 8 21:10:23 UTC 2018


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
14dcd0c9 by security tracker role at 2018-01-08T21:10:20+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,7 @@
+CVE-2018-5300
+	RESERVED
+CVE-2018-5299
+	RESERVED
 CVE-2018-5298 (In the Procter & Gamble "Oral-B App" (aka com.pg.oralb.oralbapp) ...)
 	NOT-FOR-US: Procter & Gamble "Oral-B App" for Android
 CVE-2018-5297
@@ -31,14 +35,14 @@ CVE-2018-5285 (The ImageInject plugin 1.15 for WordPress has CSRF via ...)
 	NOT-FOR-US: ImageInject plugin for WordPress
 CVE-2018-5284 (The ImageInject plugin 1.15 for WordPress has XSS via the flickr_appid ...)
 	NOT-FOR-US: ImageInject plugin for WordPress
-CVE-2018-5283
-	RESERVED
-CVE-2018-5282
-	RESERVED
-CVE-2018-5281
-	RESERVED
-CVE-2018-5280
-	RESERVED
+CVE-2018-5283 (The Photos in Wifi application 1.0.1 for iOS has directory traversal ...)
+	TODO: check
+CVE-2018-5282 (Kentico 9.0 through 11.0 has a stack-based buffer overflow via the ...)
+	TODO: check
+CVE-2018-5281 (SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices ...)
+	TODO: check
+CVE-2018-5280 (SonicWall SonicOS on Network Security Appliance (NSA) 2016 Q4 devices ...)
+	TODO: check
 CVE-2018-5279 (In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows ...)
 	NOT-FOR-US: Malwarebytes Premium
 CVE-2018-5278 (In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows ...)
@@ -81,8 +85,8 @@ CVE-2018-5261
 	RESERVED
 CVE-2018-5260
 	RESERVED
-CVE-2018-5259
-	RESERVED
+CVE-2018-5259 (Discuz! DiscuzX X3.4 allows remote authenticated users to bypass ...)
+	TODO: check
 CVE-2018-5258
 	RESERVED
 CVE-2018-5257
@@ -3154,6 +3158,7 @@ CVE-2017-1000452 (An XML Signature Wrapping vulnerability exists in Samlify 2.2.
 CVE-2017-1000451 (fs-git is a file system like api for git repository. The fs-git ...)
 	NOT-FOR-US: fs-git
 CVE-2017-1000450 (In opencv/modules/imgcodecs/src/utils.cpp, functions FillUniColor and ...)
+	{DLA-1235-1}
 	- opencv <unfixed> (bug #886282)
 	NOTE: https://github.com/opencv/opencv/issues/9723
 	NOTE: https://github.com/blendin/pocs/blob/master/opencv/0.OOB_Write_FillUniColor
@@ -3185,10 +3190,12 @@ CVE-2017-1000424 (Github Electron version 1.6.4 - 1.6.11 and 1.7.0 - 1.7.5 is vu
 CVE-2017-1000423 (b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation ...)
 	- b2evolution <removed>
 CVE-2017-1000422 (Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer ...)
+	{DLA-1234-1}
 	- gdk-pixbuf 2.36.11-1
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785973
 	NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=0012e066ba37439d402ce46afbc1311530a4ec61
 CVE-2017-1000421 (Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in ...)
+	{DLA-1233-1}
 	- gifsicle 1.90-1
 	NOTE: https://github.com/kohler/gifsicle/issues/114
 	NOTE: https://github.com/kohler/gifsicle/commit/81fd7823f6d9c85ab598bc850e40382068361185
@@ -4541,6 +4548,7 @@ CVE-2017-17787 (In GIMP 2.8.22, there is a heap-based buffer over-read in ...)
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790853
 	NOTE: Crash in desktop tool, no/negligable security impact
 CVE-2017-17760 (OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData ...)
+	{DLA-1235-1}
 	- opencv <unfixed> (bug #885843)
 	NOTE: https://github.com/opencv/opencv/issues/10351
 	NOTE: https://github.com/opencv/opencv/pull/10369/commits/7bbe1a53cfc097b82b1589f7915a2120de39274c
@@ -17157,8 +17165,8 @@ CVE-2017-15885 (Reflected XSS in the web administration portal on the Axis 2100 
 	NOT-FOR-US: Axis
 CVE-2017-15884 (In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...)
 	NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin
-CVE-2017-15883
-	RESERVED
+CVE-2017-15883 (Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow ...)
+	TODO: check
 CVE-2017-15882 (The London Trust Media Private Internet Access (PIA) application before ...)
 	NOT-FOR-US: London Trust Media Private Internet Access (PIA) application
 CVE-2017-15881 (Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 ...)
@@ -17560,7 +17568,7 @@ CVE-2017-15710
 	RESERVED
 CVE-2017-15709
 	RESERVED
-CVE-2017-15708 (Due to the presence of Apache Commons Collections 3.2.1 ...)
+CVE-2017-15708 (In Apache Synapse, by default no authentication is required for Java ...)
 	NOT-FOR-US: Apache Synapse
 CVE-2017-15707 (In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated ...)
 	- libstruts1.2-java <not-affected> (Specific to 2.x)
@@ -40343,10 +40351,10 @@ CVE-2017-8000 (In EMC RSA Authentication Manager 8.2 SP1 and earlier, a maliciou
 	NOT-FOR-US: EMC
 CVE-2017-7999 (Atlassian Eucalyptus before 4.4.1, when in EDGE mode, allows remote ...)
 	NOT-FOR-US: Atlassian Eucalyptus
-CVE-2017-7998
-	RESERVED
-CVE-2017-7997
-	RESERVED
+CVE-2017-7998 (Multiple cross-site scripting (XSS) vulnerabilities in Gespage before ...)
+	TODO: check
+CVE-2017-7997 (Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow ...)
+	TODO: check
 CVE-2017-7996
 	RESERVED
 CVE-2017-7995 (Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges ...)
@@ -112962,19 +112970,16 @@ CVE-2015-2307
 	RESERVED
 CVE-2015-2306
 	RESERVED
-CVE-2015-2320 [Related to "remove the client-side SSLv2 fallback"]
-	RESERVED
+CVE-2015-2320 (The TLS stack in Mono before 3.12.1 allows remote attackers to have ...)
 	{DSA-3202-1 DLA-176-1}
 	- mono 3.2.8+dfsg-10 (bug #780751)
 	NOTE: https://github.com/mono/mono/commit/b371da6b2d68b4cdd0f21d6342af6c42794f998b
-CVE-2015-2319 [FREAK issue]
-	RESERVED
+CVE-2015-2319 (The TLS stack in Mono before 3.12.1 makes it easier for remote ...)
 	{DSA-3202-1 DLA-176-1}
 	- mono 3.2.8+dfsg-10 (bug #780751)
 	NOTE: https://github.com/mono/mono/commit/9c38772f094168d8bfd5bc73bf8925cd04faad10
 	NOTE: Patch for versions earlier than 3.4: https://gist.github.com/directhex/728af6f96d1b8c976659
-CVE-2015-2318 [SKIP-TLS issue]
-	RESERVED
+CVE-2015-2318 (The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers ...)
 	{DSA-3202-1 DLA-176-1}
 	- mono 3.2.8+dfsg-10 (bug #780751)
 	NOTE: https://github.com/mono/mono/commit/1509226c41d74194c146deb173e752b8d3cdeec4
@@ -126704,10 +126709,10 @@ CVE-2014-7224
 	NOT-FOR-US: Android addJavascriptInterface
 CVE-2014-7223
 	RESERVED
-CVE-2014-7222
-	RESERVED
-CVE-2014-7221
-	RESERVED
+CVE-2014-7222 (Buffer overflow in TeamSpeak Client 3.0.14 and earlier allows remote ...)
+	TODO: check
+CVE-2014-7221 (TeamSpeak Client 3.0.14 and earlier allows remote authenticated users ...)
+	TODO: check
 CVE-2014-7220
 	RESERVED
 CVE-2014-7219
@@ -130764,8 +130769,7 @@ CVE-2014-6040 (GNU C Library (aka glibc) before 2.20 allows context-dependent ..
 	NOTE: https://sourceware.org/ml/libc-alpha/2014-08/msg00473.html
 CVE-2014-5519 (The Ploticus module in PhpWiki 1.5.0 allows remote attackers to ...)
 	- phpwiki <removed>
-CVE-2014-5509 [insecure use of temporary files]
-	RESERVED
+CVE-2014-5509 (clipedit in the Clipboard module for Perl allows local users to delete ...)
 	- libclipboard-perl <not-affected> (Fixed with initial upload to Debian)
 CVE-2014-5458 (SQL injection vulnerability in sqrl_verify.php in php-sqrl allows ...)
 	NOT-FOR-US: php-sqrl
@@ -130891,8 +130895,8 @@ CVE-2014-5396 (The web interface in Schrack Technik microControl with firmware b
 	NOT-FOR-US: Schrack Technik microControl
 CVE-2014-5395 (Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei ...)
 	NOT-FOR-US: Huawei Routers
-CVE-2014-5394
-	RESERVED
+CVE-2014-5394 (Multiple Huawei Campus switches allow remote attackers to enumerate ...)
+	TODO: check
 CVE-2014-5393 (Directory traversal vulnerability in the JobScheduler Operations ...)
 	NOT-FOR-US: JobScheduler
 CVE-2014-5392 (XML External Entity (XXE) vulnerability in JobScheduler before ...)
@@ -131084,8 +131088,8 @@ CVE-2014-5337 (The WordPress Mobile Pack plugin before 2.0.2 for WordPress does 
 	NOT-FOR-US: WordPress plugin Mobile Pack
 CVE-2014-5335 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...)
 	NOT-FOR-US: innovaphone PBX
-CVE-2014-5334
-	RESERVED
+CVE-2014-5334 (FreeNAS before 9.3-M3 has a blank admin password, which allows remote ...)
+	TODO: check
 CVE-2014-5332 (Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local ...)
 	- linux <not-affected> (drivers/video/tegra not present)
 	NOTE: http://googleprojectzero.blogspot.de/2015/01/exploiting-nvmap-to-escape-chrome.html
@@ -131813,12 +131817,12 @@ CVE-2014-5073 (vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657
 	NOT-FOR-US: VMTurbo Operations Manager
 CVE-2014-5072
 	RESERVED
-CVE-2014-5071
-	RESERVED
+CVE-2014-5071 (SQL injection vulnerability in the checkPassword function in ...)
+	TODO: check
 CVE-2014-5070
 	RESERVED
-CVE-2014-5069
-	RESERVED
+CVE-2014-5069 (Cross-site scripting (XSS) vulnerability in Symmetricom s350i 2.70.15 ...)
+	TODO: check
 CVE-2014-5068
 	RESERVED
 CVE-2014-5067
@@ -132127,8 +132131,8 @@ CVE-2014-4974 (The ESET Personal Firewall NDIS filter (EpFwNdis.sys) kernel mode
 	NOT-FOR-US: ESET
 CVE-2014-4973 (The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the ...)
 	NOT-FOR-US: ESET Personal Firewall
-CVE-2014-4972
-	RESERVED
+CVE-2014-4972 (Unrestricted file upload vulnerability in the Gravity Upload Ajax ...)
+	TODO: check
 CVE-2014-4971 (Microsoft Windows XP SP3 does not validate addresses in certain IRP ...)
 	NOT-FOR-US: Microsoft Windows XP
 CVE-2014-4970
@@ -135532,8 +135536,7 @@ CVE-2014-3608 (The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 all
 	- nova 2014.1.3-1
 	[wheezy] - nova <not-affected> (Vulnerable code in 2013.2 to 2013.2.2)
 	NOTE: Incomplete fix for CVE-2014-2573
-CVE-2014-3607
-	RESERVED
+CVE-2014-3607 (DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not ...)
 	- libvt-ldap-java 3.3.8-1 (bug #763608)
 CVE-2014-3606
 	RESERVED
@@ -139949,8 +139952,8 @@ CVE-2014-2073
 CVE-2014-2072
 	RESERVED
 	NOT-FOR-US: Dassault Systemes Catia
-CVE-2014-2071
-	RESERVED
+CVE-2014-2071 (Aruba Networks ClearPass Policy Manager 6.1.x, 6.2.x before ...)
+	TODO: check
 CVE-2014-2070
 	RESERVED
 CVE-2014-2069
@@ -140551,14 +140554,12 @@ CVE-2014-1862
 	RESERVED
 CVE-2014-1861 (The client in Jetro COCKPIT Secure Browsing (JCSB) 4.3.1 and 4.3.3 ...)
 	NOT-FOR-US: Jetro COCKPIT Secure Browsing
-CVE-2014-1859 [insecure temporary file use]
-	RESERVED
+CVE-2014-1859 ((1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) ...)
 	- python-numpy 1:1.8.1~rc1-1 (low; bug #737778)
 	[squeeze] - python-numpy <no-dsa> (Minor issue)
 	[wheezy] - python-numpy <no-dsa> (Minor issue)
 	NOTE: issue fixed by https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15
-CVE-2014-1858 [insecure temporary file use in __init__.py]
-	RESERVED
+CVE-2014-1858 (__init__.py in f2py in NumPy before 1.8.1 allows local users to write ...)
 	- python-numpy 1:1.8.1~rc1-1 (low; bug #737778)
 	[squeeze] - python-numpy <no-dsa> (Minor issue)
 	[wheezy] - python-numpy <no-dsa> (Minor issue)
@@ -153115,8 +153116,7 @@ CVE-2013-4366 (http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.
 CVE-2013-4365 (Heap-based buffer overflow in the fcgid_header_bucket_read function in ...)
 	{DSA-2778-1}
 	- libapache2-mod-fcgid 1:2.3.9-1 (bug #725942)
-CVE-2013-4364
-	RESERVED
+CVE-2013-4364 ((1) oo-analytics-export and (2) oo-analytics-import in the ...)
 	NOT-FOR-US: OpenShift
 CVE-2013-4363 (Algorithmic complexity vulnerability in ...)
 	- rubygems <removed> (unimportant; bug #722361)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14dcd0c94d0410c71279ca7df86de3f8fbbf2202

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14dcd0c94d0410c71279ca7df86de3f8fbbf2202
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180108/606f1a07/attachment.html>


More information about the Secure-testing-commits mailing list