[Git][security-tracker-team/security-tracker][master] automatic update

Sat Jul 28 09:10:29 BST 2018

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3347ff67 by security tracker role at 2018-07-28T08:10:19Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,23 @@
+CVE-2018-14677
+	RESERVED
+CVE-2018-14676
+	RESERVED
+CVE-2018-14675
+	RESERVED
+CVE-2018-14674
+	RESERVED
+CVE-2018-14673
+	RESERVED
+CVE-2018-14672
+	RESERVED
+CVE-2018-14671
+	RESERVED
+CVE-2018-14670
+	RESERVED
+CVE-2018-14669
+	RESERVED
+CVE-2018-14668
+	RESERVED
 CVE-2018-XXXX [off-by-one error in CHM PMGI/PMGL chunk number validity checks]
 	- libmspack <unfixed> (bug #904802)
 	NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a
@@ -37035,6 +37055,7 @@ CVE-2018-1118 (Linux kernel vhost since version 4.8 does not properly initialize
 CVE-2018-1117 (ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a ...)
 	NOT-FOR-US: ovirt-ansible-roles
 CVE-2018-1116 (A flaw was found in polkit before version 0.116. The implementation of ...)
+	{DLA-1448-1}
 	- policykit-1 0.105-21 (bug #903563)
 	[stretch] - policykit-1 <no-dsa> (Minor issue; can be fixed via point release)
 	NOTE: https://cgit.freedesktop.org/polkit/commit/?id=bc7ffad53643a9c80231fc41f5582d6a8931c32c
@@ -38718,6 +38739,7 @@ CVE-2018-0739 (Constructed ASN.1 types with a recursive definition (such as can 
 CVE-2018-0738
 	RESERVED
 CVE-2018-0737 (The OpenSSL RSA Key generation algorithm has been shown to be ...)
+	{DLA-1449-1}
 	- openssl 1.1.0h-3 (low; bug #895844)
 	[stretch] - openssl <postponed> (Can wait for next DSA and upstream release)
 	[wheezy] - openssl <postponed> (Can wait for next update)
@@ -38742,6 +38764,7 @@ CVE-2018-0733 (Because of an implementation bug the PA-RISC CRYPTO_memcmp functi
 	NOTE: Issue specific to HP-UX
 	NOTE: https://www.openssl.org/news/secadv/20180327.txt
 CVE-2018-0732 (During key agreement in a TLS handshake using a DH(E) based ...)
+	{DLA-1449-1}
 	- openssl <unfixed> (low)
 	[stretch] - openssl <postponed> (Minor issue, can be fixed along with next OpenSSL security release)
 	- openssl1.0 <unfixed> (low)
@@ -46338,8 +46361,7 @@ CVE-2017-15119 (The Network Block Device (NBD) server in Quick Emulator (QEMU) b
 	- qemu-kvm <removed>
 	[wheezy] - qemu-kvm <not-affected> (Vulnerable code introduced later)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html
-CVE-2017-15118 [stack buffer overflow in NBD server triggered via long export name]
-	RESERVED
+CVE-2017-15118 (A stack-based buffer overflow vulnerability was found in NBD server ...)
 	- qemu 1:2.11+dfsg-1 (bug #883406)
 	[stretch] - qemu <not-affected> (Vulnerable code introduced in 2.10)
 	[jessie] - qemu <not-affected> (Vulnerable code introduced in 2.10)
@@ -46409,8 +46431,7 @@ CVE-2017-15102 (The tower_probe function in drivers/usb/misc/legousbtower.c in t
 	[jessie] - linux 3.16.43-1
 	[wheezy] - linux 3.2.86-1
 	NOTE: Fixed by: https://git.kernel.org/linus/2fae9e5a7babada041e2e161699ade2447a01989 (4.9-rc1)
-CVE-2017-15101 [Incomplete fix for CVE-2014-8184]
-	RESERVED
+CVE-2017-15101 (A missing patch for a stack-based buffer overflow in findTable() was ...)
 	- liblouis <not-affected> (Incomplete fix not applied in Debian)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1492701#c12
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1511023
@@ -46430,8 +46451,7 @@ CVE-2017-15098 (Invalid json_populate_recordset or jsonb_populate_recordset func
 	- postgresql-9.1 <removed>
 	[jessie] - postgresql-9.1 <not-affected> (postgresql-9.1 in jessie only provides PL/Perl)
 	[wheezy] - postgresql-9.1 <not-affected> (Vulnerable code does not exist)
-CVE-2017-15097
-	RESERVED
+CVE-2017-15097 (Privilege escalation flaws were found in the Red Hat initialization ...)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1508985
 	NOTE: Similar issues as CVE-2016-1255 in Debian
 	NOT-FOR-US: Red Hat specific provides scripts for starting the database server during system boot and for initializing the database
@@ -84774,8 +84794,7 @@ CVE-2017-2665 (The skyring-setup command creates random password for mongodb sky
 	NOT-FOR-US: Red Hat Storage / skyring
 CVE-2017-2664 (CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before ...)
 	NOT-FOR-US: Red Hat CloudForms
-CVE-2017-2663
-	RESERVED
+CVE-2017-2663 (It was found that subscription-manager's DBus interface before 1.19.4 ...)
 	NOT-FOR-US: candlepin / subscription-manager
 CVE-2017-2662
 	RESERVED
@@ -84801,16 +84820,15 @@ CVE-2017-2654
 	RESERVED
 CVE-2017-2653 (A number of unused delete routes are present in CloudForms before ...)
 	NOT-FOR-US: Red Hat CloudForms
-CVE-2017-2652
-	RESERVED
+CVE-2017-2652 (It was found that there were no permission checks performed in the ...)
+	TODO: check
 CVE-2017-2651 (jenkins-mailer-plugin before version 1.20 is vulnerable to an ...)
 	NOT-FOR-US: jenkins-mailer-plugin
-CVE-2017-2650
-	RESERVED
-CVE-2017-2649
-	RESERVED
-CVE-2017-2648
-	RESERVED
+CVE-2017-2650 (It was found that the use of Pipeline: Classpath Step Jenkins plugin ...)
+	TODO: check
+CVE-2017-2649 (It was found that the Active Directory Plugin for Jenkins up to and ...)
+	TODO: check
+CVE-2017-2648 (It was found that jenkins-ssh-slaves-plugin before version 1.15 did ...)
 	NOT-FOR-US: jenkins-ssh-slaves-plugin
 CVE-2017-2647 (The KEYS subsystem in the Linux kernel before 3.18 allows local users ...)
 	{DLA-922-1}
@@ -90380,8 +90398,7 @@ CVE-2016-9604 (It was discovered in the Linux kernel before 4.11-rc8 that root c
 	- linux 4.9.25-1
 	[jessie] - linux 3.16.43-1
 	NOTE: Fixed by: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
-CVE-2016-9603 [cirrus: heap buffer overflow via vnc connection]
-	RESERVED
+CVE-2016-9603 (A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA ...)
 	{DLA-1270-1 DLA-1035-1 DLA-939-1}
 	- qemu 1:2.8+dfsg-4 (bug #857744)
 	- qemu-kvm <removed>
@@ -90501,14 +90518,12 @@ CVE-2016-9579 [RGW server DoS via request with invalid HTTP Origin header]
 	- ceph 10.2.5-2 (bug #849048)
 	[jessie] - ceph 0.80.7-2+deb8u2
 	NOTE: http://tracker.ceph.com/issues/18187
-CVE-2016-9578
-	RESERVED
+CVE-2016-9578 (A vulnerability was discovered in SPICE before 0.13.90 in the server's ...)
 	{DSA-3790-1 DLA-825-1}
 	- spice 0.12.8-2.1 (bug #854336)
 	NOTE: Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=1c6517973095a67c8cb57f3550fc1298404ab556 (0.12.x)
 	NOTE: Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a (0.12.x)
-CVE-2016-9577
-	RESERVED
+CVE-2016-9577 (A vulnerability was discovered in SPICE before 0.13.90 in the server's ...)
 	{DSA-3790-1 DLA-825-1}
 	- spice 0.12.8-2.1 (bug #854336)
 	NOTE: Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 (0.12.x)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3347ff6706d9f2b26844c193b4b929dca657242b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3347ff6706d9f2b26844c193b4b929dca657242b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180728/285614b3/attachment-0001.html>
