[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Fri Mar 2 21:10:24 UTC 2018


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d209c08b by security tracker role at 2018-03-02T21:10:16+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,29 @@
+CVE-2018-7650
+	RESERVED
+CVE-2018-7649
+	RESERVED
+CVE-2018-7648 (An issue was discovered in mj2/opj_mj2_extract.c in OpenJPEG 2.3.0. The ...)
+	TODO: check
+CVE-2018-7647
+	RESERVED
+CVE-2018-7646
+	RESERVED
+CVE-2018-7645
+	RESERVED
+CVE-2018-7643 (The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 ...)
+	TODO: check
+CVE-2018-7642 (The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor ...)
+	TODO: check
+CVE-2018-7641 (An issue was discovered in CImg v.220. A heap-based buffer over-read in ...)
+	TODO: check
+CVE-2018-7640 (An issue was discovered in CImg v.220. A heap-based buffer over-read in ...)
+	TODO: check
+CVE-2018-7639 (An issue was discovered in CImg v.220. A heap-based buffer over-read in ...)
+	TODO: check
+CVE-2018-7638 (An issue was discovered in CImg v.220. A heap-based buffer over-read in ...)
+	TODO: check
+CVE-2018-7637 (An issue was discovered in CImg v.220. A heap-based buffer over-read in ...)
+	TODO: check
 CVE-2018-7636
 	RESERVED
 CVE-2018-7635
@@ -313,6 +339,8 @@ CVE-2018-7540 (An issue was discovered in Xen through 4.10.x allowing x86 PV gue
 	- xen <unfixed>
 	NOTE: https://xenbits.xen.org/xsa/advisory-252.html
 CVE-2018-7644 [SSPSA 201802-01: Check for supported signature algorithms when casting a key]
+	RESERVED
+	{DSA-4127-1 DLA-1298-1}
 	- simplesamlphp 1.15.3-1
 	NOTE: https://simplesamlphp.org/security/201802-01
 	NOTE: Fixed by: https://github.com/simplesamlphp/saml2/commit/88a9ae848c4b310b1c53b5700893d890999dd930
@@ -458,7 +486,7 @@ CVE-2018-7484 (An issue was discovered in PureVPN through 5.19.4.0 on Windows. T
 	NOT-FOR-US: PureVPN on Windows
 CVE-2018-7483
 	RESERVED
-CVE-2018-7482 (The K2 component 2.8.0 for Joomla! has Incorrect Access Control with ...)
+CVE-2018-7482 (** DISPUTED ** The K2 component 2.8.0 for Joomla! has Incorrect Access ...)
 	NOT-FOR-US: K2 component for Joomla!
 CVE-2017-18200 (The f2fs implementation in the Linux kernel before 4.14 mishandles ...)
 	- linux <not-affected> (Vulnerable code not present)
@@ -592,8 +620,8 @@ CVE-2018-7443 (The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-
 	NOTE: https://github.com/ImageMagick/ImageMagick/commit/5c0e1a31bc44829b1024ce599097f43285a05a42
 CVE-2018-7434 (zzcms 8.2 allows remote attackers to discover the full path via a ...)
 	NOT-FOR-US: zzcms
-CVE-2018-7433
-	RESERVED
+CVE-2018-7433 (The iThemes Security plugin before 6.9.1 for WordPress does not ...)
+	TODO: check
 CVE-2018-7432
 	RESERVED
 CVE-2018-7431
@@ -657,18 +685,23 @@ CVE-2018-7417 (In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the IPMI dissect
 CVE-2018-7416
 	RESERVED
 CVE-2018-7439 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...)
+	{DSA-4129-1 DLA-1297-1}
 	- freexl 1.0.5-1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547892
 CVE-2018-7438 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...)
+	{DSA-4129-1 DLA-1297-1}
 	- freexl 1.0.5-1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547889
 CVE-2018-7437 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...)
+	{DSA-4129-1 DLA-1297-1}
 	- freexl 1.0.5-1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547885
 CVE-2018-7436 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...)
+	{DSA-4129-1 DLA-1297-1}
 	- freexl 1.0.5-1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547883
 CVE-2018-7435 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...)
+	{DSA-4129-1 DLA-1297-1}
 	- freexl 1.0.5-1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547879
 CVE-2018-7415
@@ -3310,7 +3343,7 @@ CVE-2018-6519 (The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before
 	{DSA-4127-1}
 	- simplesamlphp 1.15.2-1
 	[wheezy] - simplesamlphp <not-affected> (Vulnerable code not present)
-        NOTE: minor issue
+	NOTE: minor issue
 	NOTE: https://simplesamlphp.org/security/201801-01
 	NOTE: The issue lies in the simplesamlphp/saml2 part, which is
 	NOTE: updated in 1.15.2 to the respective fixed version.
@@ -16099,8 +16132,8 @@ CVE-2018-1375
 	RESERVED
 CVE-2018-1374
 	RESERVED
-CVE-2018-1373
-	RESERVED
+CVE-2018-1373 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an ...)
+	TODO: check
 CVE-2018-1372 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not ...)
 	NOT-FOR-US: IBM Security Guardium Big Data Intelligence
 CVE-2018-1371
@@ -17661,8 +17694,7 @@ CVE-2018-1065 (The netfilter subsystem in the Linux kernel through 4.15.7 mishan
 	NOTE: Fixed by: https://git.kernel.org/linus/57ebd808a97d7c5b1e1afb937c2db22beba3c1f8
 CVE-2018-1064
 	RESERVED
-CVE-2018-1063 [Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead]
-	RESERVED
+CVE-2018-1063 (Context relabeling of filesystems is vulnerable to symbolic link ...)
 	- policycoreutils <undetermined>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1550122
 CVE-2018-1062
@@ -17673,8 +17705,7 @@ CVE-2018-1060
 	RESERVED
 CVE-2018-1059
 	RESERVED
-CVE-2018-1058 [Security implications of using the default search_path and public schema]
-	RESERVED
+CVE-2018-1058 (A flaw was found in the way Postgresql allowed a user to modify the ...)
 	- postgresql-10 10.3-1
 	- postgresql-9.6 <removed>
 	[stretch] - postgresql-9.6 <no-dsa> (Minor issue; documentation update for recommendations)
@@ -26382,8 +26413,7 @@ CVE-2017-15131 (It was found that system umask policy is not being honored when 
 	NOTE: sessions.
 	NOTE: Enforcements can be achieved e.g. by using pam_umask.
 	NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303
-CVE-2017-15130 [TLS SNI config lookups are inefficient and can be used for DoS]
-	RESERVED
+CVE-2017-15130 (A denial of service flaw was found in dovecot before 2.2.34. An ...)
 	- dovecot 1:2.2.34-1 (bug #891820)
 	NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
 	NOTE: https://github.com/dovecot/core/commit/22311315b9f780211329c1522eb5aaa4faaa9391
@@ -27582,10 +27612,10 @@ CVE-2017-14804 (The build package before 20171128 did not check directory names 
 	NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1069904
 CVE-2017-14803 (In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server ...)
 	NOT-FOR-US: NetIQ Access Manager
-CVE-2017-14802
-	RESERVED
-CVE-2017-14801
-	RESERVED
+CVE-2017-14802 (Novell Access Manager Admin Console and IDP servers before 4.3.3 have ...)
+	TODO: check
+CVE-2017-14801 (Reflected XSS in the NetIQ Access Manager before 4.3.3 allowed ...)
+	TODO: check
 CVE-2017-14800 (A reflected cross site scripting attack in the NetIQ Access Manager ...)
 	TODO: check
 CVE-2017-14799 (A cross site scripting attack in handling the ESP login parameter ...)
@@ -28647,8 +28677,7 @@ CVE-2017-14463
 	RESERVED
 CVE-2017-14462
 	RESERVED
-CVE-2017-14461 [rfc822_parse_domain information leak vulnerability]
-	RESERVED
+CVE-2017-14461 (A specially crafted email delivered over SMTP and passed on to Dovecot ...)
 	- dovecot 1:2.2.34-1 (bug #891819)
 	NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
 	NOTE: https://github.com/dovecot/core/commit/30dc856f7b97b75b0e0d69f5003d5d99a13249b4
@@ -44010,8 +44039,8 @@ CVE-2017-9288 (The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a refle
 	NOT-FOR-US: Wordpress plugin
 CVE-2017-9286 (The packaging of NextCloud in openSUSE used /srv/www/htdocs in an ...)
 	TODO: check
-CVE-2017-9285
-	RESERVED
+CVE-2017-9285 (NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions ...)
+	TODO: check
 CVE-2017-9284
 	RESERVED
 CVE-2017-9283 (An out-of-bounds read (CWE-125) vulnerability exists in Micro Focus ...)
@@ -44020,16 +44049,16 @@ CVE-2017-9282 (An integer overflow (CWE-190) led to an out-of-bounds write (CWE-
 	NOT-FOR-US: Micro Focus VisiBroker
 CVE-2017-9281 (An integer overflow (CWE-190) potentially causing an out-of-bounds ...)
 	NOT-FOR-US: Micro Focus VisiBroker
-CVE-2017-9280
-	RESERVED
-CVE-2017-9279
-	RESERVED
-CVE-2017-9278
-	RESERVED
-CVE-2017-9277
-	RESERVED
-CVE-2017-9276
-	RESERVED
+CVE-2017-9280 (Some NetIQ Identity Manager Applications before Identity Manager ...)
+	TODO: check
+CVE-2017-9279 (NetIQ Identity Manager before 4.5.6.1 allowed uploading files with ...)
+	TODO: check
+CVE-2017-9278 (The NetIQ Identity Manager Oracle EBS driver before 4.0.2.0 sent EBS ...)
+	TODO: check
+CVE-2017-9277 (The LDAP backend in Novell eDirectory before 9.0 SP4 when switched to ...)
+	TODO: check
+CVE-2017-9276 (Novell Access Manager iManager before 4.3.3 did not validate ...)
+	TODO: check
 CVE-2017-9275
 	RESERVED
 CVE-2017-9274 (A shell command injection in the obs-service-source_validator before ...)
@@ -44053,8 +44082,8 @@ CVE-2017-9269 (In libzypp before August 2018 GPG keys attached to YUM repositori
 	TODO: check
 CVE-2017-9268 (In the open build service before 201707022 the wipetrigger and rebuild ...)
 	TODO: check
-CVE-2017-9267
-	RESERVED
+CVE-2017-9267 (In Novell eDirectory before 9.0.3.1 the LDAP interface was not ...)
+	TODO: check
 CVE-2016-10379 (The VirtueMart com_virtuemart component 3.0.14 for Joomla! allows SQL ...)
 	NOT-FOR-US: Joomla addon
 CVE-2016-10378 (e107 2.1.1 allows SQL injection by remote authenticated administrators ...)
@@ -49112,6 +49141,7 @@ CVE-2017-7672 (If an application allows enter an URL in a form field and built-i
 	- libstruts1.2-java <not-affected> (Vulnerable code not present)
 	NOTE: Issue is specific to Struts 2.x.
 CVE-2017-7671 (There is a DOS attack vulnerability in Apache Traffic Server (ATS) ...)
+	{DSA-4128-1}
 	- trafficserver 7.1.2+ds-1
 	NOTE: https://github.com/apache/trafficserver/pull/1941
 CVE-2017-7670 (The Traffic Router component of the incubating Apache Traffic Control ...)
@@ -50043,16 +50073,16 @@ CVE-2017-7440 (Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client deskt
 	NOT-FOR-US: Kerio
 CVE-2017-7439 (NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 might ...)
 	NOT-FOR-US: NetApp
-CVE-2017-7438
-	RESERVED
+CVE-2017-7438 (NetIQ Privileged Account Manager before 3.1 Patch Update 3 allowed ...)
+	TODO: check
 CVE-2017-7437
 	RESERVED
 CVE-2017-7436 (In libzypp before 20170803 it was possible to retrieve unsigned ...)
 	TODO: check
 CVE-2017-7435 (In libzypp before 20170803 it was possible to add unsigned YUM ...)
 	TODO: check
-CVE-2017-7434
-	RESERVED
+CVE-2017-7434 (In the JDBC driver of NetIQ Identity Manager before 4.6 sending out ...)
+	TODO: check
 CVE-2017-7433 (An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe ...)
 	NOT-FOR-US: Micro Focus Vibe
 CVE-2017-7432 (Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager ...)
@@ -50061,8 +50091,8 @@ CVE-2017-7431 (Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iMana
 	NOT-FOR-US: Novell Novell iManager and NetIQ iManager
 CVE-2017-7430 (Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager ...)
 	NOT-FOR-US: Novell Novell iManager and NetIQ iManager
-CVE-2017-7429
-	RESERVED
+CVE-2017-7429 (The certificate upload in NetIQ eDirectory PKI plugin before 8.8.8 ...)
+	TODO: check
 CVE-2017-7428 (NetIQ iManager 3.x before 3.0.3.1 has an issue in the renegotiation of ...)
 	NOT-FOR-US: NetIQ iManager
 CVE-2017-7427
@@ -50081,8 +50111,8 @@ CVE-2017-7421 (Reflected and stored Cross-Site Scripting (XSS, CWE-79) ...)
 	NOT-FOR-US: Micro Focus
 CVE-2017-7420 (An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka ...)
 	NOT-FOR-US: Micro Focus
-CVE-2017-7419
-	RESERVED
+CVE-2017-7419 (A OAuth application in NetIQ Access Manager 4.3 before 4.3.2 and 4.2 ...)
+	TODO: check
 CVE-2017-7418 (ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the ...)
 	- proftpd-dfsg 1.3.5b-4 (low; bug #859592)
 	[jessie] - proftpd-dfsg 1.3.5-1.1+deb8u2
@@ -55692,6 +55722,7 @@ CVE-2017-5661 (In Apache FOP before 2.2, files lying on the filesystem of the se
 	NOTE: Fixed by: http://svn.apache.org/r1769967
 	NOTE: Fixed by: http://svn.apache.org/r1769968 (fix for Java 6)
 CVE-2017-5660 (There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and ...)
+	{DSA-4128-1}
 	- trafficserver 7.1.2+ds-1
 	NOTE: https://github.com/apache/trafficserver/pull/1657
 	NOTE: https://issues.apache.org/jira/browse/TS-4930
@@ -57637,8 +57668,8 @@ CVE-2017-5191 (An XSS vulnerability on the /NAGErrors URI in NetIQ Access Manage
 	NOT-FOR-US: NetIQ Access Manager
 CVE-2017-5190 (NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when ...)
 	NOT-FOR-US: NetIQ Access Manager
-CVE-2017-5189
-	RESERVED
+CVE-2017-5189 (NetIQ iManager before 3.0.3 delivered a SSL private key in a Java ...)
+	TODO: check
 CVE-2017-5188 (The bs_worker code in open build service before 20170320 followed ...)
 	TODO: check
 CVE-2017-5187 (A Cross-Site Request Forgery (CWE-352) vulnerability in Directory ...)
@@ -61585,6 +61616,7 @@ CVE-2016-9941 (Heap-based buffer overflow in rfbproto.c in LibVNCClient in ...)
 CVE-2016-9940
 	RESERVED
 CVE-2016-9955 (The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before ...)
+	{DLA-1298-1}
 	- simplesamlphp 1.14.11-1 (low)
 	[jessie] - simplesamlphp <no-dsa> (Minor issue)
 	NOTE: https://simplesamlphp.org/security/201612-02
@@ -64176,6 +64208,7 @@ CVE-2016-9815 (Xen through 4.7.x allows local ARM guest OS users to cause a deni
 	NOTE: https://xenbits.xen.org/xsa/advisory-201.html
 	NOTE: CVE for fix via patch https://xenbits.xen.org/xsa/xsa201-1.patch
 CVE-2016-9814 (The validateSignature method in the SAML2\Utils class in SimpleSAMLphp ...)
+	{DLA-1298-1}
 	- simplesamlphp 1.14.10-1 (low)
 	[jessie] - simplesamlphp <no-dsa> (Minor issue)
 	NOTE: https://simplesamlphp.org/security/201612-01
@@ -66883,8 +66916,8 @@ CVE-2017-1789
 	RESERVED
 CVE-2017-1788
 	RESERVED
-CVE-2017-1787
-	RESERVED
+CVE-2017-1787 (IBM Publishing Engine 2.1.2 and 6.0.5 contains an undisclosed ...)
+	TODO: check
 CVE-2017-1786
 	RESERVED
 CVE-2017-1785 (IBM API Connect 5.0.7 and 5.0.8 could allow an authenticated remote ...)
@@ -67149,8 +67182,8 @@ CVE-2017-1656
 	RESERVED
 CVE-2017-1655
 	RESERVED
-CVE-2017-1654
-	RESERVED
+CVE-2017-1654 (IBM Spectrum Scale 4.1.1 and 4.2,0 - 4.2.3 could allow a local ...)
+	TODO: check
 CVE-2017-1653 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management ...)
 	NOT-FOR-US: IBM Jazz Foundation
 CVE-2017-1652
@@ -125709,8 +125742,8 @@ CVE-2015-0797 (GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, .
 	- icedove 31.7.0-1
 	[squeeze] - icedove <end-of-life>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-47/
-CVE-2015-0796
-	RESERVED
+CVE-2015-0796 (In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before ...)
+	TODO: check
 CVE-2015-0795 (Multiple stack-based buffer overflows in the SafeShellExecute method ...)
 	NOT-FOR-US: NetIQ
 CVE-2015-0794 (modules.d/90crypt/module-setup.sh in the dracut package before ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d209c08b4cd42b74b9b16caa6c69d903a6dae1ca

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d209c08b4cd42b74b9b16caa6c69d903a6dae1ca
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180302/93a2e850/attachment-0001.html>


More information about the Secure-testing-commits mailing list