[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Wed Mar 7 09:10:27 UTC 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
82146cea by security tracker role at 2018-03-07T09:10:19+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,13 @@
+CVE-2018-7740 (The resv_map_release function in mm/hugetlb.c in the Linux kernel ...)
+ TODO: check
+CVE-2018-7739 (antsle antman before 0.9.1a allows remote attackers to bypass ...)
+ TODO: check
+CVE-2018-7737 (In Z-BlogPHP 1.5.1.1740, there is Web Site physical path leakage, as ...)
+ TODO: check
+CVE-2018-7736 (In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME ...)
+ TODO: check
+CVE-2017-18221 (The __munlock_pagevec function in mm/mlock.c in the Linux kernel before ...)
+ TODO: check
CVE-2018-7735 (Afian FileRun (before 2018.02.13) suffers from a remote SQL injection ...)
NOT-FOR-US: Afian FileRun
CVE-2018-7734 (Afian FileRun (before 2018.02.13) suffers from a remote SQL injection ...)
@@ -42,15 +52,15 @@ CVE-2018-7723 (The management panel in Piwigo 2.9.3 has stored XSS via the ...)
- piwigo <removed>
CVE-2018-7722 (The management panel in Piwigo 2.9.3 has stored XSS via the name ...)
- piwigo <removed>
-CVE-2018-7721
- RESERVED
-CVE-2018-7720
- RESERVED
+CVE-2018-7721 (Cross Site Scripting (XSS) exists in MetInfo 6.0.0 via ...)
+ TODO: check
+CVE-2018-7720 (A cross-site request forgery (CSRF) vulnerability exists in Western ...)
+ TODO: check
CVE-2018-7719
RESERVED
CVE-2018-1000100 (GPAC MP4Box version 0.7.1 and earlier contains a Buffer Overflow ...)
TODO: check
-CVE-2018-7738 [code execution in bash-completion for umount]
+CVE-2018-7738 (In util-linux before 2.32-rc1, bash-completion/umount allows local ...)
- bash-completion <unfixed> (unimportant)
- util-linux 2.31.1-0.5 (bug #892179)
[jessie] - util-linux <not-affected> (umount completion added later)
@@ -1787,14 +1797,12 @@ CVE-2018-7187 (The "go get" implementation in Go 1.9.4, when the -inse
[jessie] - golang <ignored> (Minor issue)
NOTE: https://github.com/golang/go/issues/23867
NOTE: https://github.com/golang/go/commit/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
-CVE-2018-7185 [Unauthenticated packet can reset authenticated interleaved association]
- RESERVED
+CVE-2018-7185 (The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote ...)
- ntp <unfixed>
NOTE: http://www.kb.cert.org/vuls/id/961909
NOTE: http://support.ntp.org/bin/view/Main/NtpBug3454
NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S
-CVE-2018-7184 [Interleaved symmetric mode cannot recover from bad state]
- RESERVED
+CVE-2018-7184 (ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating ...)
- ntp <unfixed>
NOTE: http://www.kb.cert.org/vuls/id/961909
NOTE: http://support.ntp.org/bin/view/Main/NtpBug3453
@@ -1805,8 +1813,7 @@ CVE-2018-7183 [ntpq:decodearr() can write beyond its buffer limit]
NOTE: http://www.kb.cert.org/vuls/id/961909
NOTE: http://support.ntp.org/bin/view/Main/NtpBug3414
NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S
-CVE-2018-7182 [ctl_getitem(): buffer read overrun leads to undefined behavior and information leak]
- RESERVED
+CVE-2018-7182 (The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows ...)
- ntp <unfixed>
NOTE: http://www.kb.cert.org/vuls/id/961909
NOTE: http://support.ntp.org/bin/view/Main/NtpBug3412
@@ -1821,6 +1828,7 @@ CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1048
NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2)
CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a %s ...)
+ {DLA-1302-1}
- leptonlib 1.75.3-2 (bug #890548)
NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a
CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! ...)
@@ -1858,8 +1866,7 @@ CVE-2018-7172 (In index.php in WonderCMS before 2.4.1, remote attackers can dele
NOT-FOR-US: WonderCMS
CVE-2018-7171
RESERVED
-CVE-2018-7170 [Multiple authenticated ephemeral associations]
- RESERVED
+CVE-2018-7170 (nptd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows ...)
- ntp <unfixed>
NOTE: http://www.kb.cert.org/vuls/id/961909
NOTE: http://support.ntp.org/bin/view/Main/NtpBug3415
@@ -2741,14 +2748,14 @@ CVE-2018-6813
RESERVED
CVE-2018-6812
RESERVED
-CVE-2018-6811
- RESERVED
-CVE-2018-6810
- RESERVED
-CVE-2018-6809
- RESERVED
-CVE-2018-6808
- RESERVED
+CVE-2018-6811 (Multiple cross-site scripting (XSS) vulnerabilities in Citrix ...)
+ TODO: check
+CVE-2018-6810 (Directory traversal vulnerability in NetScaler ADC 10.5, 11.0, 11.1, ...)
+ TODO: check
+CVE-2018-6809 (NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, ...)
+ TODO: check
+CVE-2018-6808 (NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, ...)
+ TODO: check
CVE-2018-6807
RESERVED
CVE-2018-6806 (Marked 2 through 2.5.11 allows remote attackers to read arbitrary files ...)
@@ -3618,14 +3625,14 @@ CVE-2018-6532 (An issue was discovered in Icinga 2.x through 2.8.1. By sending .
NOTE: https://github.com/Icinga/icinga2/pull/6103
CVE-2018-6531
RESERVED
-CVE-2018-6530
- RESERVED
-CVE-2018-6529
- RESERVED
-CVE-2018-6528
- RESERVED
-CVE-2018-6527
- RESERVED
+CVE-2018-6530 (OS command injection vulnerability in soap.cgi (soapcgi_main in ...)
+ TODO: check
+CVE-2018-6529 (XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php in D-Link ...)
+ TODO: check
+CVE-2018-6528 (XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php in D-Link ...)
+ TODO: check
+CVE-2018-6527 (XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php in ...)
+ TODO: check
CVE-2018-6526 (view_all_bug_page.php in MantisBT before 2018-02-02 allows remote ...)
- mantis <removed>
[wheezy] - mantis <end-of-life> (Not supported in wheezy LTS)
@@ -5067,8 +5074,8 @@ CVE-2018-6021
RESERVED
CVE-2018-6020
RESERVED
-CVE-2018-6019
- RESERVED
+CVE-2018-6019 (Samsung Display Solutions App before 3.02 for Android allows ...)
+ TODO: check
CVE-2018-6018 (Fixed sizes of HTTPS responses in Tinder iOS app and Tinder Android ...)
NOT-FOR-US: Tinder
CVE-2018-6017 (Unencrypted transmission of images in Tinder iOS app and Tinder ...)
@@ -5874,12 +5881,10 @@ CVE-2018-1000005 (libcurl 7.49.0 to and including 7.57.0 contains an out bounds
NOTE: Patch: https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
CVE-2018-5731
RESERVED
-CVE-2018-5730
- RESERVED
+CVE-2018-5730 (MIT krb5 1.6 or later allows an authenticated kadmin with permission ...)
- krb5 <unfixed> (bug #891869)
NOTE: Fixed by: https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1
-CVE-2018-5729
- RESERVED
+CVE-2018-5729 (MIT krb5 1.6 or later allows an authenticated kadmin with permission ...)
- krb5 <unfixed> (bug #891869)
NOTE: Fixed by: https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1
CVE-2018-5728 (Cobham Sea Tel 121 build 222701 devices allow remote attackers to ...)
@@ -6474,28 +6479,28 @@ CVE-2018-5473 (An Improper Restriction of Operations within the Bounds of a Memo
NOT-FOR-US: GE D60 Line Distance Relay devices
CVE-2018-5472
RESERVED
-CVE-2018-5471
- RESERVED
+CVE-2018-5471 (A Cleartext Transmission of Sensitive Information issue was discovered ...)
+ TODO: check
CVE-2018-5470
RESERVED
-CVE-2018-5469
- RESERVED
+CVE-2018-5469 (An Improper Restriction of Excessive Authentication Attempts issue was ...)
+ TODO: check
CVE-2018-5468
RESERVED
-CVE-2018-5467
- RESERVED
+CVE-2018-5467 (An Information Exposure Through Query Strings in GET Request issue was ...)
+ TODO: check
CVE-2018-5466
RESERVED
-CVE-2018-5465
- RESERVED
+CVE-2018-5465 (A Session Fixation issue was discovered in Belden Hirschmann RS, RSR, ...)
+ TODO: check
CVE-2018-5464
RESERVED
CVE-2018-5463
RESERVED
CVE-2018-5462
RESERVED
-CVE-2018-5461
- RESERVED
+CVE-2018-5461 (An Inadequate Encryption Strength issue was discovered in Belden ...)
+ TODO: check
CVE-2018-5460
RESERVED
CVE-2018-5459 (An Improper Authentication issue was discovered in WAGO PFC200 Series ...)
@@ -10210,6 +10215,7 @@ CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing dup
[jessie] - leptonlib <not-affected> (Vulnerable code not present)
[wheezy] - leptonlib <not-affected> (Vulnerable code not present)
CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...)
+ {DLA-1302-1}
- leptonlib 1.75.3-3 (bug #891932)
[stretch] - leptonlib <not-affected> (Incomplete fix for CVE-2018-3836 not applied)
[jessie] - leptonlib <not-affected> (Incomplete fix for CVE-2018-3836 not applied)
@@ -16884,8 +16890,8 @@ CVE-2018-1345
RESERVED
CVE-2018-1344
RESERVED
-CVE-2018-1343
- RESERVED
+CVE-2018-1343 (PAM exposure enabling unauthenticated access to remote host ...)
+ TODO: check
CVE-2018-1342 (A Vulnerability exists on Admin Console where an attacker can upload ...)
NOT-FOR-US: NetIQ Access Manager
CVE-2018-1341
@@ -25534,8 +25540,8 @@ CVE-2017-15521
REJECTED
CVE-2017-15520
REJECTED
-CVE-2017-15519
- RESERVED
+CVE-2017-15519 (Versions of SnapCenter 2.0 through 3.0.1 allow unauthenticated remote ...)
+ TODO: check
CVE-2017-15518 (All versions of OnCommand API Services prior to 2.1 and NetApp Service ...)
NOT-FOR-US: NetApp
CVE-2017-15517 (AltaVault OST Plug-in versions prior to 1.2.2 may allow attackers to ...)
@@ -37259,10 +37265,10 @@ CVE-2017-11652 (Razer Synapse 2.20.15.1104 and earlier uses weak permissions for
NOT-FOR-US: Razer Synapse
CVE-2017-11651 (NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url ...)
NOT-FOR-US: NexusPHP
-CVE-2017-11650
- RESERVED
-CVE-2017-11649
- RESERVED
+CVE-2017-11650 (Cross-site scripting (XSS) vulnerability in DrayTek Vigor AP910C ...)
+ TODO: check
+CVE-2017-11649 (Cross-site request forgery (CSRF) vulnerability in DrayTek Vigor ...)
+ TODO: check
CVE-2017-11648 (Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices do ...)
NOT-FOR-US: Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices
CVE-2017-11647 (NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: ...)
@@ -50471,8 +50477,8 @@ CVE-2017-7445
RESERVED
CVE-2017-0887 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the ...)
- nextcloud <itp> (bug #835086)
-CVE-2016-7443
- RESERVED
+CVE-2016-7443 (Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have ...)
+ TODO: check
CVE-2015-9019 (In libxslt 1.1.29 and earlier, the EXSLT math.random function was not ...)
- libxslt <unfixed> (unimportant; bug #859796)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758400
@@ -86285,8 +86291,8 @@ CVE-2016-5180 (Heap-based buffer overflow in the ares_create_query function in c
- c-ares 1.12.0-1 (medium; bug #839151)
NOTE: https://c-ares.haxx.se/adv_20160929.html
NOTE: https://c-ares.haxx.se/CVE-2016-5180.patch
-CVE-2016-5179
- RESERVED
+CVE-2016-5179 (Chrome OS before 53.0.2785.144 allows remote attackers to execute ...)
+ TODO: check
CVE-2016-5178 (Multiple unspecified vulnerabilities in Google Chrome before ...)
{DSA-3683-1}
- chromium-browser 53.0.2785.143-1
@@ -111601,8 +111607,7 @@ CVE-2015-5379 (Cross-site scripting (XSS) vulnerability in actions.hsp in the Aj
NOT-FOR-US: Axigen
CVE-2015-5378 (Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote ...)
- logstash <itp> (bug #664841)
-CVE-2015-5377 [Remote code execution vulnerability]
- RESERVED
+CVE-2015-5377 (** DISPUTED ** Elasticsearch before 1.6.1 allows remote attackers to ...)
- elasticsearch 1.6.1+dfsg-1 (bug #792617)
[jessie] - elasticsearch <end-of-life> (No longer supported, see DSA 3389)
NOTE: https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-released#security
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82146cea4a60e23b79ce1c32c1db7767ccdc2ddf
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82146cea4a60e23b79ce1c32c1db7767ccdc2ddf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180307/193bcefc/attachment-0001.html>
More information about the Secure-testing-commits
mailing list