[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Fri Jul 27 21:10:27 BST 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7858b233 by security tracker role at 2018-07-27T20:10:19Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,103 @@
+CVE-2018-14667
+ RESERVED
+CVE-2018-14666
+ RESERVED
+CVE-2018-14665
+ RESERVED
+CVE-2018-14664
+ RESERVED
+CVE-2018-14663
+ RESERVED
+CVE-2018-14662
+ RESERVED
+CVE-2018-14661
+ RESERVED
+CVE-2018-14660
+ RESERVED
+CVE-2018-14659
+ RESERVED
+CVE-2018-14658
+ RESERVED
+CVE-2018-14657
+ RESERVED
+CVE-2018-14656
+ RESERVED
+CVE-2018-14655
+ RESERVED
+CVE-2018-14654
+ RESERVED
+CVE-2018-14653
+ RESERVED
+CVE-2018-14652
+ RESERVED
+CVE-2018-14651
+ RESERVED
+CVE-2018-14650
+ RESERVED
+CVE-2018-14649
+ RESERVED
+CVE-2018-14648
+ RESERVED
+CVE-2018-14647
+ RESERVED
+CVE-2018-14646
+ RESERVED
+CVE-2018-14645
+ RESERVED
+CVE-2018-14644
+ RESERVED
+CVE-2018-14643
+ RESERVED
+CVE-2018-14642
+ RESERVED
+CVE-2018-14641
+ RESERVED
+CVE-2018-14640
+ RESERVED
+CVE-2018-14639
+ RESERVED
+CVE-2018-14638
+ RESERVED
+CVE-2018-14637
+ RESERVED
+CVE-2018-14636
+ RESERVED
+CVE-2018-14635
+ RESERVED
+CVE-2018-14634
+ RESERVED
+CVE-2018-14633
+ RESERVED
+CVE-2018-14632
+ RESERVED
+CVE-2018-14631
+ RESERVED
+CVE-2018-14630
+ RESERVED
+CVE-2018-14629
+ RESERVED
+CVE-2018-14628
+ RESERVED
+CVE-2018-14627
+ RESERVED
+CVE-2018-14626
+ RESERVED
+CVE-2018-14625
+ RESERVED
+CVE-2018-14624
+ RESERVED
+CVE-2018-14623
+ RESERVED
+CVE-2018-14622
+ RESERVED
+CVE-2018-14621
+ RESERVED
+CVE-2018-14620
+ RESERVED
+CVE-2018-14619
+ RESERVED
+CVE-2018-14618
+ RESERVED
CVE-2018-14617 (An issue was discovered in the Linux kernel through 4.17.10. There is a ...)
- linux <unfixed>
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200297
@@ -9449,8 +9549,7 @@ CVE-2018-10883
- linux 4.17.3-1
[stretch] - linux 4.9.110-1
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200071
-CVE-2018-10882
- RESERVED
+CVE-2018-10882 (A flaw was found in the Linux kernel's ext4 filesystem. A local user ...)
{DLA-1423-1}
- linux 4.17.3-1
[stretch] - linux 4.9.110-1
@@ -9525,8 +9624,7 @@ CVE-2018-10864
CVE-2018-10863
RESERVED
NOT-FOR-US: Red Hat Certification
-CVE-2018-10862
- RESERVED
+CVE-2018-10862 (WildFly Core before version 6.0.0.Alpha3 does not properly validate ...)
- wildfly <itp> (bug #752018)
CVE-2018-10861 (A flaw was found in the way ceph mon handles user requests. Any ...)
- ceph <unfixed>
@@ -20665,8 +20763,8 @@ CVE-2018-6688
RESERVED
CVE-2018-6687
RESERVED
-CVE-2018-6686
- RESERVED
+CVE-2018-6686 (Authentication Bypass vulnerability in TPM autoboot in McAfee Drive ...)
+ TODO: check
CVE-2018-6685
RESERVED
CVE-2018-6684
@@ -36268,7 +36366,7 @@ CVE-2017-17459 (http_transport.c in Fossil before 2.4, when the SSH sync protoco
[wheezy] - fossil <no-dsa> (Minor issue)
NOTE: https://www.fossil-scm.org/xfer/info/1f63db591c77108c
CVE-2017-17458 (In Mercurial before 4.4.1, it is possible that a specially malformed ...)
- {DLA-1414-1 DLA-1224-1}
+ {DLA-1414-2 DLA-1414-1 DLA-1224-1}
- mercurial 4.4.1-1
NOTE: https://bz.mercurial-scm.org/show_bug.cgi?id=5730
NOTE: https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html
@@ -37225,8 +37323,7 @@ CVE-2018-1057 (On a Samba 4 AD DC the LDAP server in all versions of Samba from
[wheezy] - samba <not-affected> (Vulnerable code introduced later in 4.0.0alpha13)
NOTE: https://www.samba.org/samba/security/CVE-2018-1057.html
NOTE: https://wiki.samba.org/index.php/CVE-2018-1057
-CVE-2018-1056 [heap buffer overflow while running advzip]
- RESERVED
+CVE-2018-1056 (An out-of-bounds heap buffer read flaw was found in the way ...)
{DLA-1281-1}
- advancecomp 2.1-1 (bug #889270)
[stretch] - advancecomp <no-dsa> (Minor issue, can be fixed via point release)
@@ -46193,8 +46290,7 @@ CVE-2017-15126 (A use-after-free flaw was found in fs/userfaultfd.c in the Linux
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixed by: https://git.kernel.org/linus/384632e67e0829deb8015ee6ad916b180049d252
-CVE-2017-15125
- RESERVED
+CVE-2017-15125 (A flaw was found in CloudForms before 5.9.0.22 in the self-service UI ...)
NOT-FOR-US: Red Hat CloudForms
CVE-2017-15124 (VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older ...)
{DSA-4213-1}
@@ -46213,16 +46309,14 @@ CVE-2017-15121 (A non-privileged user is able to mount a fuse filesystem on RHEL
[wheezy] - linux <ignored> (Too much work to backport)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1520893
NOTE: Fixed by: https://git.kernel.org/linus/5a7203947a1d9b6f3a00a39fda08c2466489555f (v3.11-rc1)
-CVE-2017-15120 [Crafted CNAME answer can cause a denial of service]
- RESERVED
+CVE-2017-15120 (An issue has been found in the parsing of authoritative answers in ...)
{DSA-4063-1}
- pdns-recursor 4.1.0-1
[jessie] - pdns-recursor <not-affected> (Vulnerable code introduced in 4.0.0)
[wheezy] - pdns-recursor <not-affected> (Vulnerable code introduced in 4.0.0)
NOTE: Patch: https://downloads.powerdns.com/patches/2017-08
NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html
-CVE-2017-15119 [DoS via large option request]
- RESERVED
+CVE-2017-15119 (The Network Block Device (NBD) server in Quick Emulator (QEMU) before ...)
{DSA-4213-1}
- qemu 1:2.11+dfsg-1 (bug #883399)
[jessie] - qemu <not-affected> (Vulnerable code not present)
@@ -46259,8 +46353,7 @@ CVE-2017-15114 (When libvirtd is configured by OSP director (tripleo-heat-templa
NOTE: TLS libvirt live migration introduced in: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=fa740c5e49994ffdd3a5aa1f43a0305c8e5a0b3a
NOTE: Re-enabled libvirt TLS with SASL auth:
NOTE: https://bugs.launchpad.net/tripleo/+bug/1732479
-CVE-2017-15113
- RESERVED
+CVE-2017-15113 (ovirt-engine before version 4.1.7.6 with log level set to DEBUG ...)
NOT-FOR-US: ovirt-engine
CVE-2017-15112 (keycloak-httpd-client-install versions before 0.8 allow users to ...)
NOT-FOR-US: Keycloak
@@ -49635,7 +49728,7 @@ CVE-2017-14064 (Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1
NOTE: https://bugs.ruby-lang.org/issues/13853
NOTE: https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85
CVE-2017-14062 (Integer overflow in the decode_digit function in puny_decode.c in ...)
- {DSA-3988-1 DLA-1085-1 DLA-1084-1}
+ {DSA-3988-1 DLA-1447-1 DLA-1085-1 DLA-1084-1}
- libidn2-0 2.0.2-4 (bug #873902)
- libidn 1.33-2 (bug #873903)
NOTE: https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
@@ -55174,8 +55267,7 @@ CVE-2017-12196 (undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final w
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503055
NOTE: Fixed by https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
NOTE: See also https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f
-CVE-2017-12195
- RESERVED
+CVE-2017-12195 (A flaw was found in all Openshift Enterprise versions using the ...)
NOT-FOR-US: OpenShift
CVE-2017-12194 (A flaw was found in the way spice-client processed certain messages ...)
- spice-gtk <unfixed> (bug #898503)
@@ -55270,8 +55362,7 @@ CVE-2017-12175 (Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery
NOT-FOR-US: Red Hat Satellite
CVE-2017-12174 (It was found that when Artemis and HornetQ before 2.4.0 are configured ...)
NOT-FOR-US: Artemis and HornetQ
-CVE-2017-12173 [unsanitized input when searching in local cache database]
- RESERVED
+CVE-2017-12173 (It was found that sssd's sysdb_search_user_by_upn_res() function ...)
- sssd 1.15.3-2 (bug #877885)
[jessie] - sssd <not-affected> (Vulnerable code introduced later)
[wheezy] - sssd <not-affected> (Vulnerable code introduced later)
@@ -55315,8 +55406,7 @@ CVE-2017-12166 (OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnera
NOTE: https://community.openvpn.net/openvpn/changeset/c7e259160b28e94e4ea7f0ef767f8134283af255/ (release/2.4)
NOTE: https://community.openvpn.net/openvpn/changeset/fce34375295151f548a26c2d0eb30141e427c81a/ (release/2.3)
NOTE: https://community.openvpn.net/openvpn/changeset/a9f5c744d6b09f2495ca48d2c926efd3a4b981e6/ (release/2.2)
-CVE-2017-12165 [improper whitespace parsing leading to potential HTTP request smuggling]
- RESERVED
+CVE-2017-12165 (It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 ...)
- undertow <unfixed> (bug #885338)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490301
NOTE: Fix likely included in the same commit as the fix for CVE-2017-7559
@@ -55363,8 +55453,7 @@ CVE-2017-12153 (A security flaw was discovered in the nl80211_set_rekey_data() f
NOTE: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
CVE-2017-12152
RESERVED
-CVE-2017-12151 [SMB3 connections don't keep encryption across DFS redirects]
- RESERVED
+CVE-2017-12151 (A flaw was found in the way samba client before samba 4.4.16, samba ...)
{DSA-3983-1}
- samba 2:4.6.7+dfsg-2
[wheezy] - samba <not-affected> (Vulnerable code introduced later)
@@ -55376,8 +55465,7 @@ CVE-2017-12150 (It was found that samba before 4.4.16, 4.5.x before 4.5.14, and
CVE-2017-12149 (In Jboss Application Server as shipped with Red Hat Enterprise ...)
- jbossas4 <removed>
[wheezy] - jbossas4 <end-of-life> (incomplete packaging, 4.x series released more than nine years ago.)
-CVE-2017-12148
- RESERVED
+CVE-2017-12148 (A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 ...)
NOT-FOR-US: Ansible Tower
CVE-2017-12147
RESERVED
@@ -69562,8 +69650,7 @@ CVE-2017-7520 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to
NOTE: Fixed by (2.3.x): https://github.com/OpenVPN/openvpn/commit/f38a4a105979b87ebebe9be1c3d323116d3fb924
NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6
-CVE-2017-7519 [libradosstriper processes arbitrary printf placeholders in user input]
- RESERVED
+CVE-2017-7519 (In Ceph, a format string flaw was found in the way libradosstriper ...)
- ceph <unfixed> (bug #864535)
[stretch] - ceph <no-dsa> (Minor issue)
[jessie] - ceph <not-affected> (Vulnerable code not present)
@@ -69652,8 +69739,7 @@ CVE-2017-7499
REJECTED
CVE-2017-7498
REJECTED
-CVE-2017-7497
- RESERVED
+CVE-2017-7497 (The dialog for creating cloud volumes (cinder provider) in CloudForms ...)
NOT-FOR-US: Red Hat CloudForms Management Engine
CVE-2017-7496 (fedora-arm-installer up to and including 1.99.16 is vulnerable to ...)
NOT-FOR-US: fedora-arm-installer
@@ -69797,8 +69883,7 @@ CVE-2017-7471 (Quick Emulator (Qemu) built with the VirtFS, host directory shari
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1443401
NOTE: Introduced by: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=acf22d2264a131ad2695b5a18746dabf0cc8b843
NOTE: which is part of the fix for CVE-2016-9602.
-CVE-2017-7470
- RESERVED
+CVE-2017-7470 (It was found that spacewalk-channel can be used by a non-admin user or ...)
NOT-FOR-US: Red Hat / spacewalk-backend
CVE-2017-7469
REJECTED
@@ -69818,11 +69903,9 @@ CVE-2017-7466 (Ansible before version 2.3 has an input validation vulnerability
NOTE: https://github.com/ansible/ansible/commit/0d418789a298561fded9bce977d34babc9097079 (v2.3.0.0-0.1.rc1)
CVE-2017-7465 (It was found that the JAXP implementation used in JBoss EAP 7.0 for ...)
NOT-FOR-US: JBoss JAXP
-CVE-2017-7464
- RESERVED
+CVE-2017-7464 (It was found that the JAXP implementation used in JBoss EAP 7.0 for ...)
NOT-FOR-US: JBoss JAXP
-CVE-2017-7463
- RESERVED
+CVE-2017-7463 (JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a ...)
NOT-FOR-US: Red Hat business central
CVE-2017-7462 (Intellinet NFC-30ir IP Camera has a vendor backdoor that can allow a ...)
NOT-FOR-US: Intellinet NFC-30ir IP Camera
@@ -84635,8 +84718,7 @@ CVE-2017-2676
RESERVED
CVE-2017-2675 (Little Snitch version 3.0 through 3.7.3 suffer from a local privilege ...)
NOT-FOR-US: Little Snitch
-CVE-2017-2674
- RESERVED
+CVE-2017-2674 (JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored ...)
NOT-FOR-US: Red Hat business central
CVE-2017-2673 (An authorization-check flaw was discovered in federation ...)
- keystone 2:10.0.0-9 (bug #861189)
@@ -84651,8 +84733,7 @@ CVE-2017-2671 (The ping_unhash function in net/ipv4/ping.c in the Linux kernel .
[jessie] - linux 3.16.43-1
NOTE: http://www.openwall.com/lists/oss-security/2017/03/24/6
NOTE: Fixed by: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
-CVE-2017-2670
- RESERVED
+CVE-2017-2670 (It was found in Undertow before 1.3.28 that with non-clean TCP close, ...)
{DSA-3906-1}
- undertow 1.4.18-1 (bug #864405)
NOTE: Fixed by https://github.com/undertow-io/undertow/commit/9bfe9fbbb595d51157b61693f072895f7dbadd1d
@@ -84670,8 +84751,7 @@ CVE-2017-2668 (389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable t
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1436575
CVE-2017-2667 (Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not ...)
- foreman <itp> (bug #663101)
-CVE-2017-2666
- RESERVED
+CVE-2017-2666 (It was discovered in Undertow that the code that parsed the HTTP ...)
{DSA-3906-1}
- undertow 1.4.18-1 (bug #864405)
NOTE: https://issues.jboss.org/browse/UNDERTOW-1101
@@ -84695,8 +84775,7 @@ CVE-2017-2660
RESERVED
CVE-2017-2659
RESERVED
-CVE-2017-2658
- RESERVED
+CVE-2017-2658 (It was discovered that the Dashbuilder login page as used in Red Hat ...)
NOT-FOR-US: JBoss BPMS
CVE-2017-2657
RESERVED
@@ -84706,13 +84785,11 @@ CVE-2017-2655
REJECTED
CVE-2017-2654
RESERVED
-CVE-2017-2653
- RESERVED
+CVE-2017-2653 (A number of unused delete routes are present in CloudForms before ...)
NOT-FOR-US: Red Hat CloudForms
CVE-2017-2652
RESERVED
-CVE-2017-2651
- RESERVED
+CVE-2017-2651 (jenkins-mailer-plugin before version 1.20 is vulnerable to an ...)
NOT-FOR-US: jenkins-mailer-plugin
CVE-2017-2650
RESERVED
@@ -84726,8 +84803,7 @@ CVE-2017-2647 (The KEYS subsystem in the Linux kernel before 3.18 allows local u
- linux 4.0.2-1
[jessie] - linux 3.16.43-1
NOTE: Fixed by: https://git.kernel.org/linus/c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81 (v3.18-rc1)
-CVE-2017-2646
- RESERVED
+CVE-2017-2646 (It was found that when Keycloak before 2.5.5 receives a Logout request ...)
NOT-FOR-US: Keycloak
CVE-2017-2645 (In Moodle 3.x, XSS can occur via attachments to evidence of prior ...)
- moodle <not-affected> (Only affects 3.2 to 3.2.1 and 3.1 to 3.1.4)
@@ -84748,14 +84824,12 @@ CVE-2017-2641 (In Moodle 2.x and 3.x, SQL injection can occur via user preferenc
- moodle 2.7.19+dfsg-1
NOTE: https://tracker.moodle.org/browse/MDL-58010
NOTE: https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010
-CVE-2017-2640 [Out-of-bounds write when stripping xml]
- RESERVED
+CVE-2017-2640 (An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 ...)
{DSA-3806-1 DLA-853-1}
- pidgin 2.12.0-1 (bug #859159)
NOTE: https://www.pidgin.im/news/security/?id=109
NOTE: https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9
-CVE-2017-2639
- RESERVED
+CVE-2017-2639 (It was found that CloudForms does not verify that the server hostname ...)
NOT-FOR-US: Red Hat CloudForms Management Engine
CVE-2017-2638 (It was found that the REST API in Infinispan before version 9.0.0 did ...)
NOT-FOR-US: infinispan
@@ -84774,33 +84848,28 @@ CVE-2017-2635 [Null pointer dereference when updating storage size on empty driv
[wheezy] - libvirt <not-affected> (Vulnerable code introduced later)
NOTE: Introduced by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c5f6151390ff0a8e65014172bb8c0a8d312c3353 (v3.0.0-rc1)
NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c3de387380f6057ee0e46cd9f2f0a092e8070875 (v3.1.0-rc1)
-CVE-2017-2634 [dccp: crash while sending ipv6 reset packet]
- RESERVED
+CVE-2017-2634 (It was found that the Linux kernel's Datagram Congestion Control ...)
- linux <not-affected> (Fixed before initial rename to src:linux)
NOTE: Fixed by: https://git.kernel.org/linus/f53dc67c5e7babafe239b93a11678b0e05bead51 (2.6.25-rc1)
-CVE-2017-2633 [VNC: memory corruption due to unchecked resolution limit]
- RESERVED
+CVE-2017-2633 (An out-of-bounds memory access issue was found in Quick Emulator ...)
- qemu 2.1+dfsg-1
[wheezy] - qemu <postponed> (Can be fixed along when more severe issues are being fixed)
- qemu-kvm <removed>
[wheezy] - qemu-kvm <postponed> (Can be fixed along when more severe issues are being fixed)
NOTE: Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=bea60dd7679364493a0d7f5b54316c767cf894ef
NOTE: Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commit;h=9f64916da20eea67121d544698676295bbb105a7
-CVE-2017-2632
- RESERVED
+CVE-2017-2632 (A logic error in valid_role() in CloudForms role validation before ...)
NOT-FOR-US: Red Hat CloudForms Management Engine
CVE-2017-2631
RESERVED
-CVE-2017-2630 [nbd: oob stack write in client routine drop_sync]
- RESERVED
+CVE-2017-2630 (A stack buffer overflow flaw was found in the Quick Emulator (QEMU) ...)
- qemu 1:2.8+dfsg-3 (bug #855227)
[jessie] - qemu <not-affected> (Vulnerable code introduced in v2.8.0-rc0)
[wheezy] - qemu <not-affected> (Vulnerable code introduced in v2.8.0-rc0)
- qemu-kvm <not-affected> (Vulnerable code introduced later)
NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422415
-CVE-2017-2629 [SSL_VERIFYSTATUS ignored]
- RESERVED
+CVE-2017-2629 (curl before 7.53.0 has an incorrect TLS Certificate Status Request ...)
- curl 7.52.1-3
[jessie] - curl <not-affected> (Vulnerable code introduced later)
[wheezy] - curl <not-affected> (Vulnerable code introduced later)
@@ -84813,29 +84882,24 @@ CVE-2017-2627 [openstack-tripleo-common: sudoers file is too permissive]
RESERVED
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421917
NOT-FOR-US: RHEL packaging flaw for openstack
-CVE-2017-2626 [Weak Entropy Usage in Session Keys in libICE]
- RESERVED
+CVE-2017-2626 (It was discovered that libICE before 1.0.9-8 used a weak entropy to ...)
- libice 2:1.0.9-2 (bug #856400)
[jessie] - libice <no-dsa> (Minor issue, can be fixed in a point update or next DSA)
[wheezy] - libice <no-dsa> (Minor issue, can be fixed in a point update or next DSA)
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
-CVE-2017-2625 [Weak entropy usage for session keys in libxdm]
- RESERVED
+CVE-2017-2625 (It was discovered that libXdmcp before 1.1.2 including used weak ...)
- libxdmcp 1:1.1.2-2 (bug #856399)
[jessie] - libxdmcp <no-dsa> (Minor issue, can be fixed in a point update or next DSA)
[wheezy] - libxdmcp <no-dsa> (Minor issue, can be fixed in a point update or next DSA)
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
-CVE-2017-2624 [Timing attack against MIT Cookie]
- RESERVED
+CVE-2017-2624 (It was found that xorg-x11-server before 1.19.0 including uses ...)
{DLA-1186-1}
- xorg-server 2:1.19.2-1 (low; bug #856398)
[jessie] - xorg-server 2:1.16.4-1+deb8u2
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
-CVE-2017-2623
- RESERVED
+CVE-2017-2623 (It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 ...)
NOT-FOR-US: Red Hat rpm-ostree
-CVE-2017-2622 [openstack-mistral: /var/log/mistral/ is world readable]
- RESERVED
+CVE-2017-2622 (An accessibility flaw was found in the OpenStack Workflow (mistral) ...)
- mistral <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420992
NOTE: tracing the installation shows that mkdir -p /var/log/mistral
@@ -84843,12 +84907,10 @@ CVE-2017-2622 [openstack-mistral: /var/log/mistral/ is world readable]
NOTE: permissions. But for Debian the final permissions seem to end
NOTE: to 0750, despite, owned by mistral:adm. Thus might need more
NOTE: investigation to determine the affected status.
-CVE-2017-2621 [/var/log/heat/ is world readable]
- RESERVED
+CVE-2017-2621 (An access-control flaw was found in the OpenStack Orchestration (heat) ...)
- heat <not-affected> (heat-common postinst chmod's 0750 /var/log/heat)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420990
-CVE-2017-2620 [display: cirrus: out-of-bounds access issue while in cirrus_bitblt_cputovideo]
- RESERVED
+CVE-2017-2620 (Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA ...)
{DLA-1270-1 DLA-845-1 DLA-842-1}
- qemu 1:2.8+dfsg-3 (bug #855791)
- qemu-kvm <removed>
@@ -84860,16 +84922,14 @@ CVE-2017-2619 (Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a
{DSA-3816-1 DLA-894-1}
- samba 2:4.5.6+dfsg-2
NOTE: https://www.samba.org/samba/security/CVE-2017-2619.html
-CVE-2017-2618 [selinux: fix off-by-one in setprocattr]
- RESERVED
+CVE-2017-2618 (A flaw was found in the Linux kernel's handling of clearing SELinux ...)
{DSA-3791-1}
- linux 4.9.10-1
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixed by: https://github.com/torvalds/linux/commit/0c461cb727d146c9ef2d3e86214f498b78b7d125
CVE-2017-2617 (hawtio before version 1.5.5 is vulnerable to remote code execution via ...)
NOT-FOR-US: hawtio
-CVE-2017-2616 [Sending SIGKILL to other processes with root privileges via su]
- RESERVED
+CVE-2017-2616 (A race condition was found in util-linux before 2.32.1 in the way su ...)
{DSA-3793-1 DLA-838-1}
- shadow 1:4.4-4 (bug #855943)
NOTE: https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
@@ -84883,8 +84943,7 @@ CVE-2017-2615 (Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulato
- qemu 1:2.8+dfsg-3 (low; bug #854731)
NOTE: Introduced with: http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0 (which was the fix for CVE-2014-8106)
NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64
-CVE-2017-2614
- RESERVED
+CVE-2017-2614 (When updating a password in the rhvm database the ovirt-aaa-jdbc-tool ...)
NOT-FOR-US: Red Hat ovirt-aaa-jdbc-tool tools
CVE-2017-2613 (jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation ...)
- jenkins <removed>
@@ -84941,8 +85000,7 @@ CVE-2017-2596 (The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: https://www.spinics.net/lists/kvm/msg144319.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1417812
-CVE-2017-2595
- RESERVED
+CVE-2017-2595 (It was found that the log file viewer in Red Hat JBoss Enterprise ...)
- wildfly <itp> (bug #752018)
CVE-2017-2594 (hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, ...)
NOT-FOR-US: hawtio
@@ -84955,8 +85013,7 @@ CVE-2017-2591 (389-ds-base before version 1.3.6 is vulnerable to an improperly N
- 389-ds-base 1.3.5.15-2 (bug #851769)
[jessie] - 389-ds-base <not-affected> (Only affects 1.3.4.0 and later)
NOTE: https://fedorahosted.org/389/changeset/ffda694dd622b31277da07be76d3469fad86150f/
-CVE-2017-2590 [Insufficient permission check for ca-del, ca-disable and ca-enable commands]
- RESERVED
+CVE-2017-2590 (A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-disable, ...)
- freeipa <not-affected> (ca plugin introduced in 4.4)
NOTE: https://pagure.io/freeipa/issue/6713
NOTE: Fixed by (master): https://pagure.io/freeipa/c/b81ac59640f0b76fa9f53cf8be441f085a7089c4?branch=master
@@ -84965,13 +85022,11 @@ CVE-2017-2589 (It was discovered that the hawtio servlet 1.4 uses a single HttpC
NOT-FOR-US: hawtio
CVE-2017-2588
RESERVED
-CVE-2017-2587
- RESERVED
+CVE-2017-2587 (A memory allocation vulnerability was found in netpbm before 10.61. A ...)
- netpbm-free <not-affected> (vulnerable code not present)
NOTE: Debian uses an old fork of netpbm
NOTE: Fixed by http://pkgs.fedoraproject.org/cgit/rpms/netpbm.git/commit/?id=c16a8b893ed77fc3f6f2b382d0d47d03621ed328
-CVE-2017-2586
- RESERVED
+CVE-2017-2586 (A null pointer dereference vulnerability was found in netpbm before ...)
- netpbm-free <not-affected> (vulnerable code not present)
NOTE: Debian uses an old fork of netpbm
NOTE: Fixed by http://pkgs.fedoraproject.org/cgit/rpms/netpbm.git/commit/?id=c16a8b893ed77fc3f6f2b382d0d47d03621ed328
@@ -84990,18 +85045,15 @@ CVE-2017-2583 (The load_segment_descriptor implementation in arch/x86/kvm/emulat
NOTE: Fixed by: https://git.kernel.org/linus/33ab91103b3415e12457e3104f0e4517ce12d0f3
CVE-2017-2582 (It was found that while parsing the SAML messages the StaxParserUtil ...)
NOT-FOR-US: Keycloak
-CVE-2017-2581
- RESERVED
+CVE-2017-2581 (An out-of-bounds write vulnerability was found in netpbm before 10.61. ...)
- netpbm-free <undetermined> (bug #854978)
NOTE: Debian uses an old fork of netpbm
NOTE: http://www.openwall.com/lists/oss-security/2017/02/05/7
-CVE-2017-2580
- RESERVED
+CVE-2017-2580 (An out-of-bounds write vulnerability was found in netpbm before 10.61. ...)
- netpbm-free <undetermined> (bug #854978)
NOTE: Debian uses an old fork of netpbm
NOTE: http://www.openwall.com/lists/oss-security/2017/02/05/7
-CVE-2017-2579
- RESERVED
+CVE-2017-2579 (An out-of-bounds read vulnerability was found in netpbm before 10.61. ...)
- netpbm-free <undetermined> (bug #854978)
NOTE: Debian uses an old fork of netpbm
NOTE: http://www.openwall.com/lists/oss-security/2017/02/05/7
@@ -90359,8 +90411,7 @@ CVE-2016-9596 [stack exhaustion while parsing xml files in recovery mode]
RESERVED
- libxml2 <not-affected> (Red Hat specific security regressions)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=769658
-CVE-2016-9595
- RESERVED
+CVE-2016-9595 (A flaw was found in katello-debug before 3.4.0 where certain scripts ...)
NOT-FOR-US: Katello
CVE-2016-9594 (curl before version 7.52.1 is vulnerable to an uninitialized random ...)
- curl <not-affected> (Only affects 7.52.0)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7858b233d406084dd050021a04dae43093284dd9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7858b233d406084dd050021a04dae43093284dd9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180727/59674e38/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list