[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 13 21:10:32 UTC 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
be4c098e by security tracker role at 2018-03-13T21:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,17 @@
+CVE-2018-8094
+ RESERVED
+CVE-2018-8093
+ RESERVED
+CVE-2018-8092
+ RESERVED
+CVE-2018-8091
+ RESERVED
+CVE-2018-8090
+ RESERVED
+CVE-2018-8089
+ RESERVED
+CVE-2018-8088
+ RESERVED
CVE-2018-8087 (Memory leak in the hwsim_new_radio_nl function in ...)
- linux <unfixed>
NOTE: Fixed by: https://git.kernel.org/linus/0ddcff49b672239dda94d70d0fcf50317a9f4b51
@@ -747,8 +761,8 @@ CVE-2018-7754
RESERVED
CVE-2018-7751
RESERVED
-CVE-2018-7750
- RESERVED
+CVE-2018-7750 (transport.py in the SSH server implementation of Paramiko before ...)
+ TODO: check
CVE-2018-7749 (The SSH server implementation of AsyncSSH before 1.12.1 does not ...)
- python-asyncssh <unfixed> (bug #892787)
NOTE: https://github.com/ronf/asyncssh/commit/16e6ebfa893167c7d9d3f6dc7a2c0d197e47f43a
@@ -1355,30 +1369,32 @@ CVE-2017-18208 (The madvise_willneed function in mm/madvise.c in the Linux kerne
CVE-2017-18207 (** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py ...)
NOTE: Nonsense report for Python
CVE-2018-1000103
+ REJECTED
- jenkins <removed>
CVE-2018-1000102
+ REJECTED
- jenkins <removed>
-CVE-2018-1000114
+CVE-2018-1000114 (An improper authorization vulnerability exists in Jenkins Promoted ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000113
+CVE-2018-1000113 (A cross-site scripting vulnerability exists in Jenkins TestLink Plugin ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000112
+CVE-2018-1000112 (An improper authorization vulnerability exists in Jenkins Mercurial ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000111
+CVE-2018-1000111 (An improper authorization vulnerability exists in Jenkins Subversion ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000110
+CVE-2018-1000110 (An improper authorization vulnerability exists in Jenkins Git Plugin ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000109
+CVE-2018-1000109 (An improper authorization vulnerability exists in Jenkins Google Play ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000108
+CVE-2018-1000108 (A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000107
+CVE-2018-1000107 (An improper authorization vulnerability exists in Jenkins Job and Node ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000106
+CVE-2018-1000106 (An improper authorization vulnerability exists in Jenkins Gerrit ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000105
+CVE-2018-1000105 (An improper authorization vulnerability exists in Jenkins Gerrit ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000104
+CVE-2018-1000104 (A plaintext storage of a password vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
CVE-2018-7567 (** DISPUTED ** In the Admin Package Manager in Open Ticket Request ...)
- otrs2 <unfixed> (unimportant)
@@ -1902,8 +1918,8 @@ CVE-2018-7407
RESERVED
CVE-2018-7406
RESERVED
-CVE-2018-7405
- RESERVED
+CVE-2018-7405 (Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer ...)
+ TODO: check
CVE-2018-7404
RESERVED
CVE-2018-7403
@@ -2288,47 +2304,43 @@ CVE-2018-7281 (CactusVPN 5.3.6 for macOS contains a root privilege escalation ..
NOT-FOR-US: CactusVPN for macOS
CVE-2018-7280 (The Ninja Forms plugin before 3.2.14 for WordPress has XSS. ...)
NOT-FOR-US: Ninja Forms plugin for WordPress
-CVE-2018-1000093
- RESERVED
-CVE-2018-1000092
- RESERVED
-CVE-2018-1000091
- RESERVED
-CVE-2018-1000090
- RESERVED
-CVE-2018-1000089 [WEBHOOK_AUTHORIZATION secret disclosure when debug enabled]
- RESERVED
+CVE-2018-1000093 (CryptoNote version version 0.8.9 and possibly later contain a local ...)
+ TODO: check
+CVE-2018-1000092 (CMS Made Simple version versions 2.2.5 contains a Cross ite Request ...)
+ TODO: check
+CVE-2018-1000091 (KadNode version version 2.2.0 contains a Buffer Overflow vulnerability ...)
+ TODO: check
+CVE-2018-1000090 (textpattern version version 4.6.2 contains a XML Injection ...)
+ TODO: check
+CVE-2018-1000089 (Anymail django-anymail version version 0.2 through 1.3 contains a ...)
- django-anymail 1.4-1 (bug #890097)
[stretch] - django-anymail <no-dsa> (Minor issue; non-free/contrib not security supported)
NOTE: https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef
-CVE-2018-1000088 [Stored XSS vulnerability]
- RESERVED
+CVE-2018-1000088 (Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting ...)
- ruby-doorkeeper <unfixed> (bug #891069)
NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/969
NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/970
-CVE-2018-1000087
- RESERVED
-CVE-2018-1000086
- RESERVED
-CVE-2018-1000085 [Out-of-bounds heap read in XAR parser]
- RESERVED
+CVE-2018-1000087 (WolfCMS version version 0.8.3.1 contains a Reflected Cross Site ...)
+ TODO: check
+CVE-2018-1000086 (NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a ...)
+ TODO: check
+CVE-2018-1000085 (ClamAV version version 0.99.3 contains a Out of bounds heap memory ...)
- clamav 0.99.3~beta1+dfsg-1
[stretch] - clamav 0.99.4+dfsg-1+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
NOTE: http://www.openwall.com/lists/oss-security/2017/09/29/4
-CVE-2018-1000084
- RESERVED
-CVE-2018-1000083
- RESERVED
-CVE-2018-1000082
- RESERVED
-CVE-2018-1000081
- RESERVED
-CVE-2018-1000080
- RESERVED
-CVE-2018-1000079 [Path traversal issue during gem installation allows to write to arbitrary filesystem locations]
- RESERVED
+CVE-2018-1000084 (WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site ...)
+ TODO: check
+CVE-2018-1000083 (Ajenti version version 2 contains a Improper Error Handling ...)
+ TODO: check
+CVE-2018-1000082 (Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) ...)
+ TODO: check
+CVE-2018-1000081 (Ajenti version version 2 contains a Input Validation vulnerability in ...)
+ TODO: check
+CVE-2018-1000080 (Ajenti version version 2 contains a Insecure Permissions vulnerability ...)
+ TODO: check
+CVE-2018-1000079 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...)
- ruby2.5 2.5.0-5
- ruby2.3 <unfixed>
- ruby2.1 <removed>
@@ -2338,8 +2350,7 @@ CVE-2018-1000079 [Path traversal issue during gem installation allows to write t
NOTE: https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
NOTE: https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
-CVE-2018-1000078 [XSS vulnerability in homepage attribute when displayed via gem server]
- RESERVED
+CVE-2018-1000078 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...)
- ruby2.5 2.5.0-5
- ruby2.3 <unfixed>
- ruby2.1 <removed>
@@ -2348,8 +2359,7 @@ CVE-2018-1000078 [XSS vulnerability in homepage attribute when displayed via gem
- jruby <unfixed>
NOTE: https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
-CVE-2018-1000077 [Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL]
- RESERVED
+CVE-2018-1000077 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...)
- ruby2.5 2.5.0-5
- ruby2.3 <unfixed>
- ruby2.1 <removed>
@@ -2358,8 +2368,7 @@ CVE-2018-1000077 [Missing URL validation on spec home attribute allows malicious
- jruby <unfixed>
NOTE: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
-CVE-2018-1000076 [Improper verification of signatures in tarball allows to install mis-signed gem]
- RESERVED
+CVE-2018-1000076 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...)
- ruby2.5 2.5.0-5
- ruby2.3 <unfixed>
- ruby2.1 <removed>
@@ -2368,8 +2377,7 @@ CVE-2018-1000076 [Improper verification of signatures in tarball allows to insta
- jruby <unfixed>
NOTE: https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
-CVE-2018-1000075 [Infinite loop vulnerability due to negative size in tar header causes Denial of Service]
- RESERVED
+CVE-2018-1000075 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...)
- ruby2.5 2.5.0-5
- ruby2.3 <unfixed>
- ruby2.1 <removed>
@@ -2378,8 +2386,7 @@ CVE-2018-1000075 [Infinite loop vulnerability due to negative size in tar header
- jruby <unfixed>
NOTE: https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
-CVE-2018-1000074 [Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML]
- RESERVED
+CVE-2018-1000074 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...)
- ruby2.5 2.5.0-5
- ruby2.3 <unfixed>
- ruby2.1 <removed>
@@ -2388,8 +2395,7 @@ CVE-2018-1000074 [Unsafe Object Deserialization Vulnerability in gem owner allow
- jruby <unfixed>
NOTE: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
-CVE-2018-1000073 [Path traversal when writing to a symlinked basedir outside of the root]
- RESERVED
+CVE-2018-1000073 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...)
- ruby2.5 2.5.0-5
- ruby2.3 <unfixed>
- ruby2.1 <removed>
@@ -2398,20 +2404,19 @@ CVE-2018-1000073 [Path traversal when writing to a symlinked basedir outside of
- jruby <unfixed>
NOTE: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
-CVE-2018-1000072
- RESERVED
-CVE-2018-1000071 [Permissions issue in enigma plugin allows exfiltration secret gpg key file]
- RESERVED
+CVE-2018-1000072 (iRedMail version prior to commit f04b8ef contains a Insecure ...)
+ TODO: check
+CVE-2018-1000071 (roundcube version 1.3.4 and earlier contains an Insecure Permissions ...)
- roundcube <unfixed>
[stretch] - roundcube <no-dsa> (Minor issue)
[wheezy] - roundcube <no-dsa> (Minor issue)
NOTE: https://github.com/roundcube/roundcubemail/issues/6173
NOTE: https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt
NOTE: Can be mitigated by moving home folder outside the scope of the webserver
-CVE-2018-1000070
- RESERVED
-CVE-2018-1000069
- RESERVED
+CVE-2018-1000070 (Bitmessage PyBitmessage version v0.6.2 (and introduced in or after ...)
+ TODO: check
+CVE-2018-1000069 (FreePlane version 1.5.9 and earlier contains a XML External Entity ...)
+ TODO: check
CVE-2018-7279
RESERVED
CVE-2018-7278 (An issue was discovered on RLE Protocol Converter FDS-PC / FDS-PC-DP ...)
@@ -5229,30 +5234,30 @@ CVE-2018-6307
RESERVED
CVE-2018-6306
RESERVED
-CVE-2018-6305
- RESERVED
-CVE-2018-6304
- RESERVED
-CVE-2018-6303
- RESERVED
-CVE-2018-6302
- RESERVED
-CVE-2018-6301
- RESERVED
-CVE-2018-6300
- RESERVED
-CVE-2018-6299
- RESERVED
-CVE-2018-6298
- RESERVED
-CVE-2018-6297
- RESERVED
-CVE-2018-6296
- RESERVED
-CVE-2018-6295
- RESERVED
-CVE-2018-6294
- RESERVED
+CVE-2018-6305 (Denial of service in Gemalto's Sentinel LDK RTE version before 7.65 ...)
+ TODO: check
+CVE-2018-6304 (Stack overflow in custom XML-parser in Gemalto's Sentinel LDK RTE ...)
+ TODO: check
+CVE-2018-6303 (Denial of service by uploading malformed firmware in Hanwha Techwin ...)
+ TODO: check
+CVE-2018-6302 (Denial of service by blocking of new camera registration on the cloud ...)
+ TODO: check
+CVE-2018-6301 (Arbitrary camera access and monitoring via cloud in Hanwha Techwin ...)
+ TODO: check
+CVE-2018-6300 (Remote password change in Hanwha Techwin Smartcams ...)
+ TODO: check
+CVE-2018-6299 (Authentication bypass in Hanwha Techwin Smartcams ...)
+ TODO: check
+CVE-2018-6298 (Remote code execution in Hanwha Techwin Smartcams ...)
+ TODO: check
+CVE-2018-6297 (Buffer overflow in Hanwha Techwin Smartcams ...)
+ TODO: check
+CVE-2018-6296 (An undocumented (hidden) capability for switching the web interface in ...)
+ TODO: check
+CVE-2018-6295 (Unencrypted way of remote control and communications in Hanwha Techwin ...)
+ TODO: check
+CVE-2018-6294 (Unsecured way of firmware update in Hanwha Techwin Smartcams ...)
+ TODO: check
CVE-2018-6293 (Arbitrary File Read in Saperion Web Client version 7.5.2 83166. ...)
NOT-FOR-US: Saperion Web Client
CVE-2018-6292 (Remote Code Execution in Saperion Web Client version 7.5.2 83166. ...)
@@ -18407,11 +18412,9 @@ CVE-2017-17458 (In Mercurial before 4.4.1, it is possible that a specially malfo
NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29
NOTE: Fixed by: https://mercurial-scm.org/repo/hg/rev/071cbeba4212
NOTE: Alternative workaround: https://mercurial-scm.org/repo/hg/rev/5e27afeddaee
-CVE-2017-1002102
- RESERVED
+CVE-2017-1002102 (In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to ...)
NOT-FOR-US: OpenShift
-CVE-2017-1002101 [Volume security can be sidestepped with innocent emptyDir and subpath]
- RESERVED
+CVE-2017-1002101 (In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to ...)
- kubernetes <unfixed> (bug #892801)
NOTE: https://github.com/kubernetes/kubernetes/issues/60813
CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead ...)
@@ -18557,8 +18560,8 @@ CVE-2018-1229
RESERVED
CVE-2018-1228
RESERVED
-CVE-2018-1227
- RESERVED
+CVE-2018-1227 (Pivotal Concourse after 2018-03-05 might allow remote attackers to ...)
+ TODO: check
CVE-2018-1226
RESERVED
CVE-2018-1225
@@ -18663,8 +18666,8 @@ CVE-2017-17444
RESERVED
CVE-2017-17443
RESERVED
-CVE-2017-17442
- RESERVED
+CVE-2017-17442 (In BlackBerry UEM Management Console version 12.7.1 and earlier, a ...)
+ TODO: check
CVE-2017-17441
RESERVED
CVE-2017-17446 (The Mem_File_Reader::read_avail function in Data_Reader.cpp in the ...)
@@ -19120,8 +19123,8 @@ CVE-2018-1058 (A flaw was found in the way Postgresql allowed a user to modify t
NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3d2aed664ee8271fd6c721ed0aa10168cda112ea
NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=582edc369cdbd348d68441fc50fa26a84afd0c1a
NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5770172cb0c9df9e6ce27c507b449557e5b45124
-CVE-2018-1057
- RESERVED
+CVE-2018-1057 (On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 ...)
+ {DSA-4135-1}
- samba 2:4.7.4+dfsg-2
[jessie] - samba <ignored> (Too intrusive to backport)
[wheezy] - samba <not-affected> (Vulnerable code introduced later in 4.0.0alpha13)
@@ -19161,8 +19164,8 @@ CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 an
- resteasy <undetermined>
- resteasy3.0 <undetermined>
TODO: check
-CVE-2018-1050
- RESERVED
+CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a denial of ...)
+ {DSA-4135-1}
- samba 2:4.7.4+dfsg-2
[jessie] - samba <no-dsa> (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2018-1050.html
@@ -24513,10 +24516,10 @@ CVE-2017-16253
RESERVED
CVE-2017-16252
RESERVED
-CVE-2017-16251
- RESERVED
-CVE-2017-16250
- RESERVED
+CVE-2017-16251 (A vulnerability in the conferencing component of Mitel ST 14.2, ...)
+ TODO: check
+CVE-2017-16250 (A vulnerability in Mitel ST 14.2, release GA28 and earlier, could ...)
+ TODO: check
CVE-2017-16249 (The Debut embedded http server contains a remotely exploitable denial ...)
NOT-FOR-US: Debut embedded http server
CVE-2017-16247
@@ -72219,8 +72222,7 @@ CVE-2016-9576 (The blk_rq_map_user_iov function in block/blk-map.c in the Linux
NOTE: https://marc.info/?l=linux-scsi&m=148010092224801&w=2
NOTE: https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt
NOTE: Fixed by: https://git.kernel.org/linus/a0ac402cfcdc904f9772e1762b3fda112dcc56a0 (v4.9)
-CVE-2016-9575 [Insufficient permission check in certprofile-mod]
- RESERVED
+CVE-2016-9575 (Ipa before version 4.4.0-14 did not properly check the user's ...)
- freeipa 4.4.4-1 (bug #849950)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1395311
NOTE: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=fec4c32ff15
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/be4c098e4b7f366f195eac2602d3e4c7b2010967
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/be4c098e4b7f366f195eac2602d3e4c7b2010967
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180313/3b01fe78/attachment-0001.html>
More information about the Secure-testing-commits
mailing list