[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Wed Jan 10 21:10:23 UTC 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
88f5a2de by security tracker role at 2018-01-10T21:10:18+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,5 +1,11 @@
-CVE-2018-5331
- RESERVED
+CVE-2017-1000441
+ REJECTED
+ TODO: check
+CVE-2017-1000439
+ REJECTED
+ TODO: check
+CVE-2018-5331 (Discuz! DiscuzX X3.4 has XSS via the view parameter to ...)
+ TODO: check
CVE-2018-5330
RESERVED
CVE-2018-5329
@@ -40,7 +46,7 @@ CVE-2017-1000429 (rui Li finecms 5.0.10 is vulnerable to a reflected XSS in the
NOT-FOR-US: rui Li finecms
CVE-2017-1000428 (flatCore-CMS 1.4.6 is vulnerable to reflected XSS in ...)
NOT-FOR-US: flatCore-CMS
-CVE-2017-18026 [Remote command execution through mercurial adapter]
+CVE-2017-18026 (Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does ...)
- redmine <unfixed>
[wheezy] - redmine <end-of-life> (Not supported in wheezy LTS)
NOTE: https://www.redmine.org/issues/27516 (private)
@@ -81,10 +87,10 @@ CVE-2018-5301 (Magento Community Edition and Enterprise Edition before 2.0.10 an
NOT-FOR-US: Magento
CVE-2017-18025 (cgi-bin/drknow.cgi in Innotube ITGuard-Manager 0.0.0.1 allows remote ...)
NOT-FOR-US: Innotube ITGuard-Manager
-CVE-2017-18024
- RESERVED
-CVE-2017-18023
- RESERVED
+CVE-2017-18024 (AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default ...)
+ TODO: check
+CVE-2017-18023 (Office Tracker 11.2.5 has XSS via the logincount parameter to the ...)
+ TODO: check
CVE-2018-XXXX [Password protect the JSONRPC interface]
- electrum 3.0.5-1 (bug #886683)
[jessie] - electrum <not-affected> (Only affects >= 2.6.4)
@@ -1066,6 +1072,7 @@ CVE-2017-1000476 (ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was f
CVE-2017-1000473 (Linux Dash up to version v2 is vulnerable to multiple command ...)
NOT-FOR-US: Linux Dash
CVE-2017-1000472 (The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO ...)
+ {DLA-1239-1}
- poco 1.8.0-2
NOTE: https://github.com/pocoproject/poco/issues/1968
CVE-2017-1000471 (EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL ...)
@@ -3915,8 +3922,8 @@ CVE-2017-17947
RESERVED
CVE-2017-1000411
RESERVED
-CVE-2017-17946
- RESERVED
+CVE-2017-17946 (A buffer overflow in Handy Password 4.9.3 allows remote attackers to ...)
+ TODO: check
CVE-2017-17945
RESERVED
CVE-2017-17944
@@ -4253,8 +4260,8 @@ CVE-2017-17852 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows
NOTE: Fixed by: https://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a
CVE-2017-17842
RESERVED
-CVE-2017-17841
- RESERVED
+CVE-2017-17841 (Palo Alto Networks PAN-OS 6.1, 7.1, and 8.0.x before 8.0.7, when an ...)
+ TODO: check
CVE-2017-17840 (An issue was discovered in Open-iSCSI through 2.0.875. A local attacker ...)
- open-iscsi 2.0.874-5 (bug #885021)
[stretch] - open-iscsi <no-dsa> (Minor issue)
@@ -9288,8 +9295,8 @@ CVE-2017-17664 (A Remote Crash issue was discovered in Asterisk Open Source 13.x
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27429
CVE-2017-17663
RESERVED
-CVE-2017-17662
- RESERVED
+CVE-2017-17662 (Directory traversal in the HTTP server on Yawcam 0.2.6 through 0.6.0 ...)
+ TODO: check
CVE-2017-17661
RESERVED
CVE-2017-17660
@@ -9833,8 +9840,7 @@ CVE-2017-17487
RESERVED
CVE-2017-17486
RESERVED
-CVE-2017-17485
- RESERVED
+CVE-2017-17485 (FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 ...)
- jackson-databind <not-affected> (Specific incomplete fixes for some Red Hat packages)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0
CVE-2017-17484 (The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International ...)
@@ -14023,8 +14029,8 @@ CVE-2017-16879 (Stack-based buffer overflow in the _nc_write_entry function in .
[wheezy] - ncurses <ignored> (Minor issue)
NOTE: PoC https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz
NOTE: http://invisible-island.net/ncurses/NEWS.html#t20171125
-CVE-2017-16878
- RESERVED
+CVE-2017-16878 (Cross-site scripting (XSS) vulnerability in the Captive Portal ...)
+ TODO: check
CVE-2017-16877 (ZEIT Next.js before 2.4.1 has directory traversal under the /_next and ...)
NOT-FOR-US: ZEIT Next.js
CVE-2017-16876 (Cross-site scripting (XSS) vulnerability in the _keyify function in ...)
@@ -15394,8 +15400,8 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is
NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
CVE-2017-16515
RESERVED
-CVE-2017-16514
- RESERVED
+CVE-2017-16514 (Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities ...)
+ TODO: check
CVE-2017-16513 (Ipswitch WS_FTP Professional before 12.6.0.3 has buffer overflows in ...)
NOT-FOR-US: Ipswitch WS_FTP Professional
CVE-2017-16512
@@ -17104,8 +17110,8 @@ CVE-2017-15943 (The configuration file import for applications, spyware and ...)
NOT-FOR-US: Palo Alto Networks PAN-OS
CVE-2017-15942 (Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x ...)
NOT-FOR-US: Palo Alto Networks PAN-OS
-CVE-2017-15941
- RESERVED
+CVE-2017-15941 (Cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS ...)
+ TODO: check
CVE-2017-15940 (The web interface packet capture management component in Palo Alto ...)
NOT-FOR-US: Palo Alto Networks PAN-OS
CVE-2017-15939 (dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...)
@@ -17358,8 +17364,8 @@ CVE-2017-15851
RESERVED
CVE-2017-15850
RESERVED
-CVE-2017-15849
- RESERVED
+CVE-2017-15849 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...)
+ TODO: check
CVE-2017-15848
RESERVED
CVE-2017-15847
@@ -17648,8 +17654,7 @@ CVE-2017-15719
RESERVED
CVE-2017-15718
RESERVED
-CVE-2017-15717
- RESERVED
+CVE-2017-15717 (A flaw in the way URLs are escaped and encoded in the ...)
NOT-FOR-US: Apache Sling
CVE-2017-15716
RESERVED
@@ -17676,7 +17681,7 @@ CVE-2017-15706
CVE-2017-15705
RESERVED
CVE-2017-15704
- RESERVED
+ REJECTED
CVE-2017-15703
RESERVED
CVE-2017-15702 (In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured ...)
@@ -17778,14 +17783,14 @@ CVE-2017-15667 (In Flexense SysGauge Server 3.6.18, the Control Protocol suffers
NOT-FOR-US: Flexense SysGauge Server
CVE-2017-15666
RESERVED
-CVE-2017-15665
- RESERVED
-CVE-2017-15664
- RESERVED
-CVE-2017-15663
- RESERVED
-CVE-2017-15662
- RESERVED
+CVE-2017-15665 (In Flexense DiskBoss Enterprise 8.5.12, the Control Protocol suffers ...)
+ TODO: check
+CVE-2017-15664 (In Flexense Sync Breeze Enterprise v10.1.16, the Control Protocol ...)
+ TODO: check
+CVE-2017-15663 (In Flexense Disk Pulse Enterprise v10.1.18, the Control Protocol ...)
+ TODO: check
+CVE-2017-15662 (In Flexense VX Search Enterprise v10.1.12, the Control Protocol ...)
+ TODO: check
CVE-2017-15661
RESERVED
CVE-2017-15660
@@ -28169,8 +28174,7 @@ CVE-2017-12190 (The bio_map_user_iov and bio_unmap_user functions in block/bio.c
[stretch] - linux 4.9.65-1
[jessie] - linux 3.16.51-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495089
-CVE-2017-12189
- RESERVED
+CVE-2017-12189 (It was discovered that the jboss init script as used in Red Hat JBoss ...)
NOT-FOR-US: Red Hat JBoss; jbossas init script
CVE-2017-12188 (arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested ...)
- linux 4.13.4-2
@@ -28270,8 +28274,7 @@ CVE-2017-12171 [httpd: # character matches all IPs]
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1493056
CVE-2017-12170 (Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was ...)
- pure-ftpd <not-affected> (Fedora specific packaging error)
-CVE-2017-12169 [Password hash disclosure via 'System: Read Stage Users' permission]
- RESERVED
+CVE-2017-12169 (It was found that FreeIPA 4.2.0 and later could disclose password ...)
- freeipa <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1487697
TODO: check, disputed as well if valid CVE assignment
@@ -31615,8 +31618,8 @@ CVE-2017-11071
RESERVED
CVE-2017-11070
RESERVED
-CVE-2017-11069
- RESERVED
+CVE-2017-11069 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...)
+ TODO: check
CVE-2017-11068
RESERVED
CVE-2017-11067 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...)
@@ -42269,8 +42272,7 @@ CVE-2017-7560 (It was found that rhnsd PID files are created as world-writable t
- rhnsd <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1480550
NOTE: Introduced by: https://github.com/spacewalkproject/spacewalk/commit/75d9c00b96ab430221c5c7668baebebc74ddd67e
-CVE-2017-7559 [HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)]
- RESERVED
+CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and ...)
- undertow <unfixed> (bug #885576)
NOTE: CVE is for an incomplete fix of CVE-2017-2666
NOTE: Invalid characters were still allowed in the query string and path parameters.
@@ -42374,8 +42376,7 @@ CVE-2017-7537
- dogtag-pki 10.3.5+12-5 (bug #869261)
NOTE: https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470817
-CVE-2017-7536 [Privilege escalation when running under the security manager]
- RESERVED
+CVE-2017-7536 (In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it ...)
- libhibernate-validator-java <unfixed> (bug #885577)
NOTE: https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465573
@@ -53942,8 +53943,8 @@ CVE-2017-3767 (A local privilege escalation vulnerability was identified in the
NOT-FOR-US: Lenovo
CVE-2017-3766
RESERVED
-CVE-2017-3765
- RESERVED
+CVE-2017-3765 (In Enterprise Networking Operating System (ENOS) in Lenovo and IBM ...)
+ TODO: check
CVE-2017-3764 (A vulnerability was identified in Lenovo XClarity Administrator (LXCA) ...)
NOT-FOR-US: Lenovo XClarity Administrator
CVE-2017-3763 (An attacker who obtains access to the location where the LXCA file ...)
@@ -59944,8 +59945,8 @@ CVE-2017-1625
RESERVED
CVE-2017-1624
RESERVED
-CVE-2017-1623
- RESERVED
+CVE-2017-1623 (IBM QRadar 7.2 and 7.3 is vulnerable to cross-site scripting. This ...)
+ TODO: check
CVE-2017-1622
RESERVED
CVE-2017-1621
@@ -60122,10 +60123,10 @@ CVE-2017-1536 (IBM Support Tools for Lotus WCM (IBM WebSphere Portal 7.0, 8.0, 8
NOT-FOR-US: IBM Support Tools for Lotus WCM
CVE-2017-1535 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...)
NOT-FOR-US: IBM
-CVE-2017-1534
- RESERVED
-CVE-2017-1533
- RESERVED
+CVE-2017-1534 (IBM Security Access Manager Appliance 8.0.0 and 9.0.0 could allow a ...)
+ TODO: check
+CVE-2017-1533 (IBM Security Access Manager Appliance 9.0.3 is vulnerable to ...)
+ TODO: check
CVE-2017-1532
RESERVED
CVE-2017-1531 (IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to ...)
@@ -60272,8 +60273,8 @@ CVE-2017-1461 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerab
NOT-FOR-US: IBM
CVE-2017-1460 (IBM i OSPF 6.1, 7.1, 7.2, and 7.3 is vulnerable when a rogue router ...)
NOT-FOR-US: IBM
-CVE-2017-1459
- RESERVED
+CVE-2017-1459 (IBM Security Access Manager Appliance 8.0.0 and 9.0.0 specifies ...)
+ TODO: check
CVE-2017-1458 (IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity ...)
NOT-FOR-US: IBM
CVE-2017-1457 (IBM QRadar Network Security 5.4 is vulnerable to cross-site scripting. ...)
@@ -61553,8 +61554,8 @@ CVE-2016-9724 (IBM QRadar 7.2 is vulnerable to a denial of service, caused by an
NOT-FOR-US: IBM
CVE-2016-9723 (IBM QRadar 7.2 is vulnerable to cross-site scripting. This ...)
NOT-FOR-US: IBM
-CVE-2016-9722
- RESERVED
+CVE-2016-9722 (IBM QRadar 7.2 and 7.3 specifies permissions for a security-critical ...)
+ TODO: check
CVE-2016-9721
RESERVED
CVE-2016-9720 (IBM QRadar 7.2 discloses sensitive information to unauthorized users. ...)
@@ -72410,8 +72411,7 @@ CVE-2016-6812 (The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x
NOT-FOR-US: Apache CXF
CVE-2016-6811
REJECTED
-CVE-2016-6810
- RESERVED
+CVE-2016-6810 (In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site ...)
- activemq 5.14.2+dfsg-1 (unimportant)
NOTE: Admin console not enabled in the Debian package, see #702670
NOTE: http://activemq.apache.org/security-advisories.data/CVE-2016-6810-announcement.txt
@@ -132121,47 +132121,33 @@ CVE-2014-5008 (Snoopy allows remote attackers to execute arbitrary commands. ...
- libphp-snoopy 2.0.0-1 (bug #778634)
NOTE: http://mstrokin.com/sec/feed2js-magpierss-0day-vulnerability-not-really-it-is-actually-cve-2005-3330-cve-2008-4796/
NOTE: This issue exists because of an incorrect fix for CVE-2008-4796 (i.e., use of escapeshellcmd where escapeshellarg was required).
-CVE-2014-5004 [Ruby Gem brbackup-0.1.1: exposes the database password to the command line]
- RESERVED
+CVE-2014-5004 (lib/brbackup.rb in the brbackup gem 0.1.1 for Ruby places the database ...)
NOT-FOR-US: Ruby Gem brbackup
-CVE-2014-5003 [Ruby Gem ciborg-3.0.0: race condition when creating /tmp/perlbrew-installer]
- RESERVED
+CVE-2014-5003 (chef/travis-cookbooks/ci_environment/perlbrew/recipes/default.rb in ...)
NOT-FOR-US: Ruby Gem ciborg
-CVE-2014-5002 [Ruby Gem lynx-0.2.0: expose the password to the process table]
- RESERVED
+CVE-2014-5002 (The lynx gem 0.2.0 for Ruby places the configured password on command ...)
NOT-FOR-US: Ruby Gem lynx
-CVE-2014-5001 [Ruby Gem kcapifony-2.1.6: expose the password to the process table]
- RESERVED
+CVE-2014-5001 (lib/ksymfony1.rb in the kcapifony gem 2.1.6 for Ruby places database ...)
NOT-FOR-US: Ruby Gem kcapifony
-CVE-2014-5000 [Ruby Gem lawn-login-0.0.7: exposes the mysql password to the process table]
- RESERVED
+CVE-2014-5000 (The login function in lib/lawn.rb in the lawn-login gem 0.0.7 for Ruby ...)
NOT-FOR-US: Ruby Gem lawn-login
-CVE-2014-4999 [Ruby Gem kajam-1.0.3.rc2: exposes the mysql password to the process table]
- RESERVED
+CVE-2014-4999 (vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem ...)
NOT-FOR-US: Ruby Gem kajam
-CVE-2014-4998 [Ruby Gem lean-ruport-0.3.8: exposes the mysql password to the process table]
- RESERVED
+CVE-2014-4998 (test/tc_database.rb in the lean-ruport gem 0.3.8 for Ruby places the ...)
NOT-FOR-US: Ruby Gem lean-ruport
-CVE-2014-4997 [Ruby Gem point-cli-0.0.1: exposes the username and password combination to the process table]
- RESERVED
+CVE-2014-4997 (lib/commands/setup.rb in the point-cli gem 0.0.1 for Ruby places ...)
NOT-FOR-US: Ruby Gem point-cli
-CVE-2014-4996 [Ruby Gem VladTheEnterprising-0.2: clobber files via symlink attack]
- RESERVED
+CVE-2014-4996 (lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby ...)
NOT-FOR-US: Ruby Gem VladTheEnterprising
-CVE-2014-4995 [Ruby Gem VladTheEnterprising-0.2: Information Leakage]
- RESERVED
+CVE-2014-4995 (Race condition in lib/vlad/dba/mysql.rb in the VladTheEnterprising gem ...)
NOT-FOR-US: Ruby Gem VladTheEnterprising
-CVE-2014-4994 [Ruby Gem gyazo-1.0.0: Insecure Temporary File]
- RESERVED
+CVE-2014-4994 (lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users ...)
NOT-FOR-US: Ruby Gem gyazo
-CVE-2014-4993 [Ruby Gems backup-agoddard and backup_checksum: expose the password to the process table]
- RESERVED
+CVE-2014-4993 ((1) lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and ...)
NOT-FOR-US: Ruby Gems backup-agoddard and backup_checksum
-CVE-2014-4992 [Ruby Gem cap-strap-0.1.5: expose the password to the process table]
- RESERVED
+CVE-2014-4992 (lib/cap-strap/helpers.rb in the cap-strap gem 0.1.5 for Ruby places ...)
NOT-FOR-US: Ruby Gem cap-strap
-CVE-2014-4991 [Ruby Gem codders-dataset-1.3.2.1: expose the password to the process table]
- RESERVED
+CVE-2014-4991 ((1) lib/dataset/database/mysql.rb and (2) ...)
NOT-FOR-US: Ruby Gem codders-dataset
CVE-2014-4990
RESERVED
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88f5a2de92d4bf1da6d62ae3604d57e73683acc4
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88f5a2de92d4bf1da6d62ae3604d57e73683acc4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180110/f230b413/attachment-0001.html>
More information about the Secure-testing-commits
mailing list