[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Tue Mar 27 20:10:34 UTC 2018


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f0a62418 by security tracker role at 2018-03-27T20:10:30+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,7 @@
+CVE-2018-9057 (aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform ...)
+	TODO: check
+CVE-2018-9056 (Systems with microprocessors utilizing speculative execution may allow ...)
+	TODO: check
 CVE-2018-9055 (JasPer 2.0.14 allows denial of service via a reachable assertion in the ...)
 	- jasper <removed>
 	NOTE: https://github.com/mdadams/jasper/issues/172
@@ -726,13 +730,11 @@ CVE-2018-8766 (joyplus-cms 1.6.0 allows Remote Code Execution because of an Arbi
 	NOT-FOR-US: joyplus-cms
 CVE-2018-8765 (In 2345 Security Guard 3.6, the driver file (2345NetFirewall.sys) ...)
 	NOT-FOR-US: 2345 Security Guard
-CVE-2018-8764 [CSRF token in URL]
-	RESERVED
+CVE-2018-8764 (Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 ...)
 	- ldap-account-manager <unfixed>
 	NOTE: https://www.ldap-account-manager.org/lamcms/node/354
 	NOTE: https://github.com/LDAPAccountManager/lam/commit/993751c7ff0faa07b7c028295152cf9c20349688
-CVE-2018-8763 [XSS vulnerabilities]
-	RESERVED
+CVE-2018-8763 (Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 has ...)
 	- ldap-account-manager <unfixed>
 	NOTE: https://github.com/LDAPAccountManager/lam/commit/f1d7aec5fc4aaf516e1d8a6f0eb3082050553302
 	NOTE: https://github.com/LDAPAccountManager/lam/commit/16fc7f7e8603c5cb7c129cfbf97fc572b9b8740c
@@ -900,8 +902,8 @@ CVE-2018-8720 (ServiceNow ITSM 2016-06-02 has XSS via the First Name or Last Nam
 	NOT-FOR-US: ServiceNow ITSM
 CVE-2018-8719
 	RESERVED
-CVE-2018-8718
-	RESERVED
+CVE-2018-8718 (Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin ...)
+	TODO: check
 CVE-2017-18232 (The Serial Attached SCSI (SAS) implementation in the Linux kernel ...)
 	- linux <unfixed>
 	NOTE: Fixed by: https://git.kernel.org/linus/0558f33c06bb910e2879e355192227a8e8f0219d
@@ -2339,8 +2341,7 @@ CVE-2018-8050 (The af_get_page() function in lib/afflib_pages.cpp in AFFLIB (aka
 	NOTE: Negligable security impact
 CVE-2018-8049
 	RESERVED
-CVE-2018-8048 [XSS vulnerability]
-	RESERVED
+CVE-2018-8048 (In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML ...)
 	- ruby-loofah 2.2.1-1 (bug #893596)
 	NOTE: https://github.com/flavorjones/loofah/issues/144
 	NOTE: https://github.com/flavorjones/loofah/commit/4a08c25a603654f2fc505a7d2bf0c35a39870ad7
@@ -3209,8 +3210,8 @@ CVE-2017-18219 (An issue was discovered in GraphicsMagick 1.3.26. An allocation 
 	- graphicsmagick 1.3.27-1
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/cadd4b0522fa
 	NOTE: https://sourceforge.net/p/graphicsmagick/bugs/459/
-CVE-2018-7700
-	RESERVED
+CVE-2018-7700 (DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, ...)
+	TODO: check
 CVE-2018-7699
 	RESERVED
 CVE-2018-7698 (An issue was discovered in D-Link mydlink+ 3.8.5 build 259 for DCS-933L ...)
@@ -4927,16 +4928,16 @@ CVE-2018-7198 (October CMS through 1.0.431 allows XSS by entering HTML on the Ad
 	NOT-FOR-US: October CMS
 CVE-2018-7197 (An issue was discovered in Pluck through 4.7.4. A stored cross-site ...)
 	NOT-FOR-US: Pluck CMS
-CVE-2018-7196
-	RESERVED
-CVE-2018-7195
-	RESERVED
-CVE-2018-7194
-	RESERVED
-CVE-2018-7193
-	RESERVED
-CVE-2018-7192
-	RESERVED
+CVE-2018-7196 (Cross-site scripting (XSS) vulnerability in /scp/index.php in ...)
+	TODO: check
+CVE-2018-7195 (Enhancesoft osTicket before 1.10.2 allows remote attackers to reset ...)
+	TODO: check
+CVE-2018-7194 (Integer format vulnerability in the ticket number generator in ...)
+	TODO: check
+CVE-2018-7193 (Cross-site scripting (XSS) vulnerability in /scp/directory.php in ...)
+	TODO: check
+CVE-2018-7192 (Cross-site scripting (XSS) vulnerability in /ajax.php/form/help-topic ...)
+	TODO: check
 CVE-2018-7191
 	RESERVED
 CVE-2018-7190
@@ -5757,8 +5758,8 @@ CVE-2018-6884
 	RESERVED
 CVE-2018-6883 (Piwigo before 2.9.3 has SQL injection in admin/tags.php in the ...)
 	- piwigo <removed>
-CVE-2018-6882
-	RESERVED
+CVE-2018-6882 (Cross-site scripting (XSS) vulnerability in the ...)
+	TODO: check
 CVE-2018-1000062 (WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File ...)
 	NOT-FOR-US: WonderCMS
 CVE-2018-1000061 (ARM mbedTLS version development branch, 2.7.0 and earlier contains a ...)
@@ -6044,10 +6045,10 @@ CVE-2018-6769 (In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) 
 	NOT-FOR-US: Jiangmin Antivirus
 CVE-2018-6768 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows ...)
 	NOT-FOR-US: Jiangmin Antivirus
-CVE-2018-6766
-	RESERVED
-CVE-2018-6765
-	RESERVED
+CVE-2018-6766 (Swisscom TVMediaHelper 1.1.0.50 contains a vulnerability that could ...)
+	TODO: check
+CVE-2018-6765 (Swisscom MySwisscomAssistant 2.17.1.1065 contains a vulnerability that ...)
+	TODO: check
 CVE-2018-6763
 	RESERVED
 CVE-2018-6762
@@ -6371,6 +6372,7 @@ CVE-2018-1000052 (fmtlib version prior to version 4.1.0 (before commit ...)
 	NOTE: https://github.com/fmtlib/fmt/issues/642
 	NOTE: https://github.com/fmtlib/fmt/commit/8cf30aa2be256eba07bb1cefb998c52326e846e7
 CVE-2018-1000051 (Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability ...)
+	{DSA-4152-1}
 	- mupdf 1.12.0+ds1-1 (bug #891245)
 	[wheezy] - mupdf <not-affected> (Vulnerable code not present, introduced in version 1.3)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698825
@@ -6747,6 +6749,7 @@ CVE-2018-6546
 CVE-2018-6545 (Ipswitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting ...)
 	NOT-FOR-US: Ipswitch MoveIt
 CVE-2018-6544 (pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could ...)
+	{DSA-4152-1}
 	- mupdf 1.12.0+ds1-1 (bug #891245)
 	[wheezy] - mupdf <ignored> (Most likely not affected, minor issue)
 	NOTE: http://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d
@@ -20849,10 +20852,10 @@ CVE-2018-1269
 	RESERVED
 CVE-2018-1268
 	RESERVED
-CVE-2018-1267
-	RESERVED
-CVE-2018-1266
-	RESERVED
+CVE-2018-1267 (Cloud Foundry Silk CNI plugin, versions prior to 0.2.0, contains an ...)
+	TODO: check
+CVE-2018-1266 (Cloud Foundry Cloud Controller, versions prior to 1.52.0, contains ...)
+	TODO: check
 CVE-2018-1265
 	RESERVED
 CVE-2018-1264
@@ -20921,8 +20924,8 @@ CVE-2018-1233
 	RESERVED
 CVE-2018-1232
 	RESERVED
-CVE-2018-1231
-	RESERVED
+CVE-2018-1231 (Cloud Foundry BOSH CLI, versions prior to v3.0.1, contains an improper ...)
+	TODO: check
 CVE-2018-1230 (Pivotal Spring Batch Admin, all versions, does not contain cross site ...)
 	NOT-FOR-US: Pivotal
 CVE-2018-1229 (Pivotal Spring Batch Admin, all versions, contains a stored XSS ...)
@@ -21569,7 +21572,7 @@ CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 an
 	- resteasy3.0 <undetermined>
 	TODO: check
 CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a denial of ...)
-	{DSA-4135-1}
+	{DSA-4135-1 DLA-1320-1}
 	- samba 2:4.7.4+dfsg-2
 	[jessie] - samba <no-dsa> (Minor issue)
 	NOTE: https://www.samba.org/samba/security/CVE-2018-1050.html
@@ -22732,7 +22735,7 @@ CVE-2018-0788 (The Windows Adobe Type Manager Font Driver (Atmfd.dll) in Windows
 	NOT-FOR-US: Microsoft
 CVE-2018-0787 (ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege ...)
 	NOT-FOR-US: Microsoft
-CVE-2018-0786 (Microsoft .NET Framework 1.1, 2.0, 3.0, 3.5, 3.5.1, 4, 4.5, 4.5.1, ...)
+CVE-2018-0786 (Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, ...)
 	NOT-FOR-US: Microsoft
 CVE-2018-0785 (ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery ...)
 	NOT-FOR-US: Microsoft
@@ -24242,8 +24245,7 @@ CVE-2018-0204 (A vulnerability in the web portal of the Cisco Prime Collaboratio
 	NOT-FOR-US: Cisco
 CVE-2018-0203 (A vulnerability in the SMTP relay of Cisco Unity Connection could allow ...)
 	NOT-FOR-US: Cisco
-CVE-2018-0202 [Out-of-bounds access in the PDF parser]
-	RESERVED
+CVE-2018-0202 (clamscan in ClamAV before 0.99.4 contains a vulnerability that could ...)
 	{DLA-1307-1}
 	- clamav 0.100.0~beta+dfsg-2
 	[stretch] - clamav 0.99.4+dfsg-1+deb9u1
@@ -24261,8 +24263,8 @@ CVE-2018-0200 (A vulnerability in the web-based interface of Cisco Prime Service
 	NOT-FOR-US: Cisco
 CVE-2018-0199 (A vulnerability in Cisco Jabber Client Framework (JCF) could allow an ...)
 	NOT-FOR-US: Cisco
-CVE-2018-0198
-	RESERVED
+CVE-2018-0198 (A vulnerability in the web framework of Cisco Unified Communications ...)
+	TODO: check
 CVE-2018-0197
 	RESERVED
 CVE-2018-0196
@@ -39019,8 +39021,8 @@ CVE-2017-12321 (Multiple vulnerabilities in the web interface of the Cisco Regis
 	NOT-FOR-US: Cisco
 CVE-2017-12320 (Multiple vulnerabilities in the web interface of the Cisco Registered ...)
 	NOT-FOR-US: Cisco
-CVE-2017-12319
-	RESERVED
+CVE-2017-12319 (A vulnerability in the Border Gateway Protocol (BGP) over an Ethernet ...)
+	TODO: check
 CVE-2017-12318 (A vulnerability in the TCP state machine of Cisco RF Gateway 1 devices ...)
 	NOT-FOR-US: Cisco
 CVE-2017-12317 (The Cisco AMP For Endpoints application allows an authenticated, local ...)
@@ -39037,8 +39039,8 @@ CVE-2017-12312 (An untrusted search path (aka DLL Preloading) vulnerability in t
 	NOT-FOR-US: Cisco
 CVE-2017-12311 (A vulnerability in the H.264 decoder function of Cisco Meeting Server ...)
 	NOT-FOR-US: Cisco
-CVE-2017-12310
-	RESERVED
+CVE-2017-12310 (A vulnerability in the auto discovery phase of Cisco Spark Hybrid ...)
+	TODO: check
 CVE-2017-12309 (A vulnerability in the Cisco Email Security Appliance (ESA) could allow ...)
 	NOT-FOR-US: Cisco
 CVE-2017-12308 (A vulnerability in the web framework of Cisco Small Business Managed ...)
@@ -41425,7 +41427,7 @@ CVE-2017-11472 (The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.
 	NOTE: Non-issue since ACPI tables are trusted
 CVE-2017-11466 (Arbitrary file upload vulnerability in ...)
 	NOT-FOR-US: dotCMS
-CVE-2017-11463 (In LANDESK Management Suite 2016.4 and 2017.x, an Unrestricted Direct ...)
+CVE-2017-11463 (In Ivanti Service Desk (formerly LANDESK Management Suite) versions ...)
 	NOT-FOR-US: LANDESK
 CVE-2017-11462 (Double free vulnerability in MIT Kerberos 5 (aka krb5) allows ...)
 	- krb5 1.15.2-1 (low; bug #873563)
@@ -116410,8 +116412,8 @@ CVE-2015-5018 (IBM Security Access Manager for Web 7.0.0 before FP19 and 8.0 bef
 	NOT-FOR-US: IBM
 CVE-2015-5017 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...)
 	NOT-FOR-US: IBM
-CVE-2015-5016
-	RESERVED
+CVE-2015-5016 (IBM Maximo Asset Management 7.1, 7.5, and 7.6; Maximo Asset Management ...)
+	TODO: check
 CVE-2015-5015 (IBM WebSphere Commerce Enterprise 7.0.0.9 and 8.x before Feature Pack ...)
 	NOT-FOR-US: IBM
 CVE-2015-5014 (IBM Cognos Disclosure Management (CDM) 10.1.x and 10.2.x before 10.2.4 ...)
@@ -116468,8 +116470,8 @@ CVE-2015-4989 (The portal in IBM Tealeaf Customer Experience before 8.7.1.8814, 
 	NOT-FOR-US: IBM Tealeaf Customer Experience
 CVE-2015-4988 (Directory traversal vulnerability in the replay server in IBM Tealeaf ...)
 	NOT-FOR-US: IBM Tealeaf Customer Experience
-CVE-2015-4987
-	RESERVED
+CVE-2015-4987 (The search and replay servers in IBM Tealeaf Customer Experience 8.0 ...)
+	TODO: check
 CVE-2015-4986
 	RESERVED
 CVE-2015-4985
@@ -116534,8 +116536,8 @@ CVE-2015-4956 (The Web UI in IBM Security QRadar SIEM 7.1.x before 7.1 MR2 Patch
 	NOT-FOR-US: IBM Security QRadar SIEM
 CVE-2015-4955 (Cross-site scripting (XSS) vulnerability in IBM Business Process ...)
 	NOT-FOR-US: IBM
-CVE-2015-4954
-	RESERVED
+CVE-2015-4954 (IBM BigFix Remote Control before Interim Fix pack ...)
+	TODO: check
 CVE-2015-4953
 	RESERVED
 CVE-2015-4952
@@ -143493,8 +143495,8 @@ CVE-2014-4961
 	RESERVED
 CVE-2014-4960 (Multiple SQL injection vulnerabilities in models\gallery.php in ...)
 	NOT-FOR-US: Joomla! component
-CVE-2014-4959
-	RESERVED
+CVE-2014-4959 (**DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the ...)
+	TODO: check
 CVE-2014-4958 (Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET ...)
 	NOT-FOR-US: Telerik UI for ASP.NET AJAX RadEditor Control
 CVE-2014-4957
@@ -155361,8 +155363,7 @@ CVE-2014-0488 (APT before 1.0.9 does not "invalidate repository data" 
 CVE-2014-0487 (APT before 1.0.9 does not verify downloaded files if they have been ...)
 	{DSA-3025-1 DLA-53-1}
 	- apt 1.0.9
-CVE-2014-0486 [remote crash with crafted DNS message]
-	RESERVED
+CVE-2014-0486 (Knot DNS before 1.5.2 allows remote attackers to cause a denial of ...)
 	- knot 1.5.2-1
 CVE-2014-0485 (S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which ...)
 	{DSA-3013-1}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0a62418c03df7585e299caf78317beb782498a1

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0a62418c03df7585e299caf78317beb782498a1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180327/37cec69b/attachment-0001.html>


More information about the Secure-testing-commits mailing list