[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Tue May 1 21:10:31 BST 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f12c2f4a by security tracker role at 2018-05-01T20:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,5 +1,117 @@
-CVE-2018-10581
+CVE-2018-10637
RESERVED
+CVE-2018-10636
+ RESERVED
+CVE-2018-10635
+ RESERVED
+CVE-2018-10634
+ RESERVED
+CVE-2018-10633
+ RESERVED
+CVE-2018-10632
+ RESERVED
+CVE-2018-10631
+ RESERVED
+CVE-2018-10630
+ RESERVED
+CVE-2018-10629
+ RESERVED
+CVE-2018-10628
+ RESERVED
+CVE-2018-10627
+ RESERVED
+CVE-2018-10626
+ RESERVED
+CVE-2018-10625
+ RESERVED
+CVE-2018-10624
+ RESERVED
+CVE-2018-10623
+ RESERVED
+CVE-2018-10622
+ RESERVED
+CVE-2018-10621
+ RESERVED
+CVE-2018-10620
+ RESERVED
+CVE-2018-10619
+ RESERVED
+CVE-2018-10618
+ RESERVED
+CVE-2018-10617
+ RESERVED
+CVE-2018-10616
+ RESERVED
+CVE-2018-10615
+ RESERVED
+CVE-2018-10614
+ RESERVED
+CVE-2018-10613
+ RESERVED
+CVE-2018-10612
+ RESERVED
+CVE-2018-10611
+ RESERVED
+CVE-2018-10610
+ RESERVED
+CVE-2018-10609
+ RESERVED
+CVE-2018-10608
+ RESERVED
+CVE-2018-10607
+ RESERVED
+CVE-2018-10606
+ RESERVED
+CVE-2018-10605
+ RESERVED
+CVE-2018-10604
+ RESERVED
+CVE-2018-10603
+ RESERVED
+CVE-2018-10602
+ RESERVED
+CVE-2018-10601
+ RESERVED
+CVE-2018-10600
+ RESERVED
+CVE-2018-10599
+ RESERVED
+CVE-2018-10598
+ RESERVED
+CVE-2018-10597
+ RESERVED
+CVE-2018-10596
+ RESERVED
+CVE-2018-10595
+ RESERVED
+CVE-2018-10594
+ RESERVED
+CVE-2018-10593
+ RESERVED
+CVE-2018-10592
+ RESERVED
+CVE-2018-10591
+ RESERVED
+CVE-2018-10590
+ RESERVED
+CVE-2018-10589
+ RESERVED
+CVE-2018-10588
+ RESERVED
+CVE-2018-10587
+ RESERVED
+CVE-2018-10586
+ RESERVED
+CVE-2018-10585
+ RESERVED
+CVE-2018-10584
+ RESERVED
+CVE-2018-10583 (An information disclosure vulnerability occurs when LibreOffice 6.0.3 ...)
+ TODO: check
+CVE-2018-10582
+ RESERVED
+CVE-2018-10581 (In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able ...)
+ TODO: check
CVE-2018-10580
RESERVED
CVE-2018-10579
@@ -181,7 +293,7 @@ CVE-2018-10526
RESERVED
CVE-2018-10525
RESERVED
-CVE-2017-18264 [PMASA-2017-8]
+CVE-2017-18264 (An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 ...)
- phpmyadmin 4:4.6.6-2
NOTE: https://www.phpmyadmin.net/security/PMASA-2017-8/
NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 (4.7-branch)
@@ -513,8 +625,8 @@ CVE-2018-10372 (process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remot
[wheezy] - binutils <ignored> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23064
NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6aea08d9f3e3d6475a65454da488a0c51f5dc97d
-CVE-2018-10371
- RESERVED
+CVE-2018-10371 (An issue was discovered in the wunderfarm WF Cookie Consent plugin ...)
+ TODO: check
CVE-2018-1000178 [Implement custom deserializer to add our own sanity checks]
- quassel 1:0.12.5-1 (bug #896914)
NOTE: https://github.com/quassel/quassel/commit/2b777e99fc9f74d4ed21491710260664a1721d1f (master)
@@ -535,8 +647,8 @@ CVE-2018-10367 (An issue was discovered in WUZHI CMS 4.1.0. The content-manageme
NOT-FOR-US: WUZHI CMS
CVE-2018-10366 (An issue was discovered in the Users (aka Front-end user management) ...)
NOT-FOR-US: Users (aka Front-end user management) plugin for October CMS
-CVE-2018-10365
- RESERVED
+CVE-2018-10365 (An XSS issue was discovered in the Threads to Link plugin 1.3 for ...)
+ TODO: check
CVE-2018-10364 (BigTree before 4.2.22 has XSS in the Users management page via the name ...)
NOT-FOR-US: BigTree CMS
CVE-2018-10363
@@ -622,6 +734,7 @@ CVE-2018-10325
CVE-2018-10324
RESERVED
CVE-2018-10323 (The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in ...)
+ {DSA-4188-1}
- linux 4.16.5-1
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199423
CVE-2018-10322 (The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the ...)
@@ -760,18 +873,18 @@ CVE-2018-10262
RESERVED
CVE-2018-10261
RESERVED
-CVE-2018-10260
- RESERVED
-CVE-2018-10259
- RESERVED
-CVE-2018-10258
- RESERVED
-CVE-2018-10257
- RESERVED
-CVE-2018-10256
- RESERVED
-CVE-2018-10255
- RESERVED
+CVE-2018-10260 (A Local File Inclusion vulnerability was found in HRSALE The Ultimate ...)
+ TODO: check
+CVE-2018-10259 (An Authenticated Stored XSS vulnerability was found in HRSALE The ...)
+ TODO: check
+CVE-2018-10258 (A CSV Injection vulnerability was discovered in Shopy Point of Sale ...)
+ TODO: check
+CVE-2018-10257 (A CSV Injection vulnerability was discovered in HRSALE The Ultimate ...)
+ TODO: check
+CVE-2018-10256 (A SQL Injection vulnerability was discovered in HRSALE The Ultimate ...)
+ TODO: check
+CVE-2018-10255 (A CSV Injection vulnerability was discovered in clustercoding Blog ...)
+ TODO: check
CVE-2018-10254 (Netwide Assembler (NASM) 2.13 has a stack-based buffer over-read in the ...)
- nasm <unfixed> (bug #896523)
[stretch] - nasm <no-dsa> (Minor issue)
@@ -927,7 +1040,7 @@ CVE-2018-1000200 [mm, oom: fix concurrent munlock and oom reaper unmap]
CVE-2018-1000167 (OISF suricata-update version 1.0.0a1 contains an Insecure ...)
NOT-FOR-US: suricata-update (different from suricata)
CVE-2018-1000166
- RESERVED
+ REJECTED
CVE-2018-1000165 (LightSAML version prior to 1.3.5 contains a Incorrect Access Control ...)
NOT-FOR-US: LightSAML
CVE-2018-1000163 (Floodlight version 1.2 and earlier contains a Cross Site Scripting ...)
@@ -988,7 +1101,7 @@ CVE-2018-10182
RESERVED
CVE-2018-1000199 [ptrace() incorrect error handling leads to corruption and DoS]
RESERVED
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.17-1
NOTE: Fixed by: https://git.kernel.org/linus/f67b15037a7a50c57f72e69a6d59941ad90a0f0f
CVE-2018-10181
@@ -2852,8 +2965,8 @@ CVE-2018-9338
RESERVED
CVE-2018-9337
RESERVED
-CVE-2018-9336
- RESERVED
+CVE-2018-9336 (openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x ...)
+ TODO: check
CVE-2018-9335
RESERVED
CVE-2018-9334
@@ -3029,6 +3142,7 @@ CVE-2018-9275 (In check_user_token in util.c in the Yubico PAM module (aka pam_y
NOTE: Introduced in: https://github.com/Yubico/yubico-pam/commit/d9780eacd9e61c5062cdabdce21c224de1884583 (2.18)
NOTE: https://github.com/Yubico/yubico-pam/issues/136
CVE-2017-18257 (The __get_data_block function in fs/f2fs/data.c in the Linux kernel ...)
+ {DSA-4188-1}
- linux 4.11.6-1
[jessie] - linux <not-affected> (Vulnerable code introduced later)
[wheezy] - linux <not-affected> (Vulnerable code not present)
@@ -3208,8 +3322,8 @@ CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. I
[wheezy] - ncmpc <no-dsa> (Minor issue)
CVE-2018-9233 (Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for ...)
NOT-FOR-US: Sophos
-CVE-2018-9232
- RESERVED
+CVE-2018-9232 (Due to the lack of firmware authentication in the upgrade process of ...)
+ TODO: check
CVE-2018-9231
RESERVED
CVE-2018-9230 (** DISPUTED ** In OpenResty through 1.13.6.1, URI parameters are ...)
@@ -3940,10 +4054,10 @@ CVE-2018-8941 (Diagnostics functionality on D-Link DSL-3782 devices with firmwar
NOT-FOR-US: D-Link
CVE-2018-8940
RESERVED
-CVE-2018-8939
- RESERVED
-CVE-2018-8938
- RESERVED
+CVE-2018-8939 (An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold ...)
+ TODO: check
+CVE-2018-8938 (A Code Injection issue was discovered in DlgSelectMibFile.asp in ...)
+ TODO: check
CVE-2018-8937 (An issue was discovered in Open-AudIT Professional 2.1. It is possible ...)
NOT-FOR-US: Open-AudIT Professional
CVE-2018-8936 (The AMD EPYC Server, Ryzen, Ryzen Pro, and Ryzen Mobile processor chips ...)
@@ -4057,6 +4171,7 @@ CVE-2018-8885 (screenresolution-mechanism in screen-resolution-extra 0.17.2 does
CVE-2018-1000136 (Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to ...)
- electron <itp> (bug #842420)
CVE-2017-18241 (fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users to ...)
+ {DSA-4188-1 DSA-4187-1}
- linux 4.13.4-1
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/d4fdf8ba0e5808ba9ad6b44337783bd9935e0982
@@ -4209,7 +4324,7 @@ CVE-2018-8824
CVE-2018-8823 (modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu ...)
NOT-FOR-US: Responsive Mega Menu Pro module for PrestaShop
CVE-2018-8822 (Incorrect buffer length handling in the ncp_read_kernel function in ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.17-1
CVE-2018-1000135 (GNOME NetworkManager version 1.10.2 and earlier contains a Information ...)
- network-manager <unfixed> (bug #895658)
@@ -4325,7 +4440,7 @@ CVE-2018-8783
CVE-2018-8782
RESERVED
CVE-2018-8781 (The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.17-1
NOTE: https://patchwork.freedesktop.org/patch/211845/
NOTE: Fixed by: https://git.kernel.org/linus/3b82a4db8eaccce735dffd50b4d4e1578099b8e8
@@ -4588,6 +4703,7 @@ CVE-2018-8719 (An issue was discovered in the WP Security Audit Log plugin 3.1.1
CVE-2018-8718 (Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin ...)
- jenkins-mailer-plugin <removed>
CVE-2017-18232 (The Serial Attached SCSI (SAS) implementation in the Linux kernel ...)
+ {DSA-4187-1}
- linux 4.15.17-1
[wheezy] - linux <not-affected> (Vulnerability introduced later)
NOTE: Fixed by: https://git.kernel.org/linus/0558f33c06bb910e2879e355192227a8e8f0219d
@@ -5931,6 +6047,7 @@ CVE-2018-8088 (org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J b
NOTE: https://jira.qos.ch/browse/SLF4J-430
NOTE: https://jira.qos.ch/browse/SLF4J-431
CVE-2018-8087 (Memory leak in the hwsim_new_radio_nl function in ...)
+ {DSA-4188-1}
- linux 4.15.11-1
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
@@ -5999,6 +6116,7 @@ CVE-2017-18226 (The Gentoo net-im/jabberd2 package through 2.6.1 sets the owners
CVE-2017-18225 (The Gentoo net-im/jabberd2 package through 2.6.1 installs jabberd, ...)
TODO: check
CVE-2017-18224 (In the Linux kernel before 4.15, fs/ocfs2/aops.c omits use of a ...)
+ {DSA-4188-1}
- linux 4.15.4-1
[jessie] - linux <not-affected> (Vulnerable code introduced later)
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
@@ -6385,7 +6503,7 @@ CVE-2018-7892
CVE-2018-7891 (The Milestone XProtect Video Management Software (Corporate, Expert, ...)
TODO: check
CVE-2018-7995 (** DISPUTED ** Race condition in the store_int_with_restart() function ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.11-1
NOTE: https://lkml.org/lkml/2018/3/2/970
CVE-2018-7890 (A remote code execution issue was discovered in Zoho ManageEngine ...)
@@ -6700,10 +6818,11 @@ CVE-2018-7759 (A buffer overflow vulnerability exists in Schneider Electric's Mo
CVE-2018-7758 (A denial of service vulnerability exists in Schneider Electric's MiCOM ...)
NOT-FOR-US: Schneider
CVE-2018-7757 (Memory leak in the sas_smp_get_phy_events function in ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.17-1
NOTE: Fixed by: https://git.kernel.org/linus/4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 (4.16-rc1)
CVE-2017-18222 (In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does ...)
+ {DSA-4188-1}
- linux 4.15.17-1
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
@@ -6768,7 +6887,7 @@ CVE-2018-1000117 (Python Software Foundation CPython version From 3.2 until 3.6.
NOTE: http://hg.python.org/lookup/6921e73e33edc3c61bc2d78ed558eaa22a89a564
NOTE: https://bugs.python.org/issue33001
CVE-2018-7740 (The resv_map_release function in mm/hugetlb.c in the Linux kernel ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.17-1
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199037
CVE-2018-7739 (antsle antman before 0.9.1a allows remote attackers to bypass ...)
@@ -6990,6 +7109,7 @@ CVE-2018-7674 (The NetIQ Identity Manager user console, in versions prior to 4.7
CVE-2018-7673 (The NetIQ Identity Manager communication channel, in versions prior to ...)
NOT-FOR-US: NetIQ Identity Manager
CVE-2017-18218 (In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux kernel ...)
+ {DSA-4188-1}
- linux 4.13.4-1
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
@@ -6997,7 +7117,7 @@ CVE-2017-18218 (In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux ke
CVE-2017-18217 (An issue was discovered in InvoicePlane before 1.5.5. It was observed ...)
NOT-FOR-US: InvoicePlane
CVE-2017-18216 (In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.4-1
NOTE: Fixed by: https://git.kernel.org/linus/853bc26a7ea39e354b9f8889ae7ad1492ffa28d2
CVE-2017-18215 (xvpng.c in xv 3.10a has memory corruption (out-of-bounds write) when ...)
@@ -7402,7 +7522,7 @@ CVE-2018-7567 (** DISPUTED ** In the Admin Package Manager in Open Ticket Reques
NOTE: installed which is not verified by the OTRS Group. Responsiblity of the
NOTE: respective admin to check packages before installation.
CVE-2018-7566 (The Linux kernel 4.15 has a Buffer Overflow via an ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.11-1
NOTE: Fixed by: https://git.kernel.org/linus/d15d662e89fc667b90cd294b0eb45694e33144da
CVE-2018-7565 (CSRF exists on Polycom QDX 6000 devices. ...)
@@ -7638,7 +7758,7 @@ CVE-2017-18204 (The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kerne
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by: https://git.kernel.org/linus/28f5a8a7c033cbf3e32277f4cc9c6afd74f05300
CVE-2017-18203 (The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.7-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/b9a41d21dceadf8104812626ef85dc56ee8a60ed
@@ -7649,7 +7769,7 @@ CVE-2017-18202 (The __oom_reap_task_mm function in mm/oom_kill.c in the Linux ke
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixed by: https://git.kernel.org/linus/687cb0884a714ff484d038e9190edc874edcf146
CVE-2018-7492 (A NULL pointer dereference was found in the net/rds/rdma.c ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.7-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/f3069c6d33f6ae63a1668737bc78aaaa51bff7ca
@@ -7721,6 +7841,7 @@ CVE-2018-1000101 (Mingw-w64 version 5.0.3 and earlier contains an Improper Null
CVE-2018-7481
RESERVED
CVE-2018-7480 (The blkcg_init_queue function in block/blk-cgroup.c in the Linux ...)
+ {DSA-4188-1}
- linux 4.11.6-1
[jessie] - linux <not-affected> (Issue introduced later)
[wheezy] - linux <not-affected> (Issue introduced later)
@@ -8106,6 +8227,7 @@ CVE-2018-7339 (The MP4Atom class in mp4atom.cpp in MP4v2 through 2.0.0 mishandle
CVE-2017-18194 (SQL injection vulnerability in users/signup.php in the "signup" ...)
NOT-FOR-US: HamayeshNegar CMS
CVE-2017-18193 (fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles ...)
+ {DSA-4188-1}
- linux 4.13.4-1
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
@@ -9466,7 +9588,7 @@ CVE-2015-9252 (An issue was discovered in QPDF before 7.0.0. Endless recursion c
NOTE: https://github.com/qpdf/qpdf/commit/701b518d5c56a1449825a3a37a716c58e05e1c3e
NOTE: https://github.com/qpdf/qpdf/issues/51
CVE-2018-6927 (The futex_requeue function in kernel/futex.c in the Linux kernel before ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.17-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a
@@ -10443,8 +10565,8 @@ CVE-2018-6591 (Converse.js and Inverse.js through 3.3 allow remote attackers to
NOT-FOR-US: Converse.js
CVE-2018-6590
RESERVED
-CVE-2018-6589
- RESERVED
+CVE-2018-6589 (CA Spectrum 10.1 prior to 10.01.02.PTF_10.1.239 and 10.2.x prior to ...)
+ TODO: check
CVE-2018-6588 (CA API Developer Portal 3.5 up to and including 3.5 CR5 has a ...)
NOT-FOR-US: CA API Developer Portal
CVE-2018-6587 (CA API Developer Portal 3.5 up to and including 3.5 CR6 has a ...)
@@ -12934,7 +13056,7 @@ CVE-2018-5804
RESERVED
CVE-2018-5803 [Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service]
RESERVED
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.11-1
NOTE: Fixed by: https://git.kernel.org/linus/07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c
CVE-2018-5802 [Out-of-bounds read in kodak_radc_load_raw function internal/dcraw_common.cpp]
@@ -13155,7 +13277,7 @@ CVE-2017-18034 (The source browse resource in Atlassian FishEye and Crucible bef
CVE-2017-18033 (The Jira-importers-plugin in Atlassian Jira before version 7.6.1 ...)
NOT-FOR-US: Jira-importers-plugin in Atlassian Jira
CVE-2018-5750 (The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux ...)
- {DSA-4120-1 DLA-1369-1}
+ {DSA-4187-1 DSA-4120-1 DLA-1369-1}
- linux 4.15.4-1
NOTE: https://patchwork.kernel.org/patch/10174835/
CVE-2018-5749 (install.php in Minecraft Servers List Lite before commit c1cd164 and ...)
@@ -14160,7 +14282,7 @@ CVE-2018-5347 (Seagate Media Server in Seagate Personal Cloud has unauthenticate
CVE-2018-5346
RESERVED
CVE-2018-1000004 (In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.17-1
[stretch] - linux 4.9.80-1
CVE-2018-1000001 (In glibc 2.26 and earlier there is confusion in the usage of getcwd() ...)
@@ -14216,12 +14338,12 @@ CVE-2018-5334 (In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave f
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14297
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=dc308c05ba0673460fe80873b22d296880ee996d
CVE-2018-5333 (In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.17-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/7d11f77f84b27cef452cee332f4e469503084737
CVE-2018-5332 (In the Linux kernel through 4.14.13, the rds_message_alloc_sgs() ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.17-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/c095508770aebf1b9218e77026e48345d719b17c
@@ -17809,7 +17931,7 @@ CVE-2018-3818 (Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripti
CVE-2018-3817 (When logging warnings regarding deprecated settings, Logstash before ...)
- logstash <itp> (bug #664841)
CVE-2017-18017 (The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.11.6-1
[stretch] - linux 4.9.47-1
NOTE: Fixed by: https://git.kernel.org/linus/2638fd0f92d4397884fd991d8f4925cb3f081901
@@ -18058,6 +18180,7 @@ CVE-2017-17977
CVE-2017-17976 (In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can ...)
NOT-FOR-US: Perfex CRM
CVE-2017-17975 (Use-after-free in the usbtv_probe function in ...)
+ {DSA-4188-1}
- linux 4.15.17-1
[jessie] - linux <not-affected> (Vulnerable code path not present)
[wheezy] - linux <not-affected> (Vulnerable code path not present)
@@ -23937,8 +24060,8 @@ CVE-2018-1504
RESERVED
CVE-2018-1503
RESERVED
-CVE-2018-1502
- RESERVED
+CVE-2018-1502 (IBM Content Manager Enterprise Edition Resource Manager 8.4.3 and 9.5 ...)
+ TODO: check
CVE-2018-1501
RESERVED
CVE-2018-1500
@@ -25737,6 +25860,7 @@ CVE-2018-1109
NOTE: nodejs not covered by security support
CVE-2018-1108 [random: fix crng_ready() test]
RESERVED
+ {DSA-4188-1}
- linux 4.16.5-1
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
@@ -25798,10 +25922,11 @@ CVE-2018-1094 (The ext4_fill_super function in fs/ext4/super.c in the Linux kern
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199183
CVE-2018-1093 (The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux ...)
+ {DSA-4188-1}
- linux 4.15.17-1
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199181
CVE-2018-1092 (The ext4_iget function in fs/ext4/inode.c in the Linux kernel through ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.17-1
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199179
NOTE: Fixed by: https://git.kernel.org/linus/8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44
@@ -25890,7 +26015,7 @@ CVE-2018-1070
CVE-2018-1069 (Red Hat OpenShift Enterprise version 3.7 is vulnerable to access ...)
NOT-FOR-US: OpenShift
CVE-2018-1068 (A flaw was found in the Linux 4.x kernel's implementation of 32-bit ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.11-1
NOTE: https://git.kernel.org/linus/b71812168571fa55e44cdd0254471331b9c4c4c6
NOTE: Unprivileged user namespaces are disabled in Debian, this only affects
@@ -25899,10 +26024,12 @@ CVE-2018-1067
RESERVED
TODO: check, unclear if issue is in src:untertow or in its use in WildFly (issue is incomplete fix for CVE-2016-4993, which might need an update depending on the result)
CVE-2018-1066 (The Linux kernel before version 4.11 is vulnerable to a NULL pointer ...)
+ {DSA-4188-1 DSA-4187-1}
- linux 4.11.6-1
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixed by: https://git.kernel.org/linus/cabfb3680f78981d26c078a26e5c748531257ebb
CVE-2018-1065 (The netfilter subsystem in the Linux kernel through 4.15.7 mishandles ...)
+ {DSA-4188-1}
- linux 4.15.11-1
[jessie] - linux <not-affected> (Vulnerable code introduced later)
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
@@ -28069,8 +28196,8 @@ CVE-2017-17022
RESERVED
CVE-2017-17021
RESERVED
-CVE-2017-17020
- RESERVED
+CVE-2017-17020 (On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 ...)
+ TODO: check
CVE-2017-17019
RESERVED
CVE-2017-17018
@@ -29198,22 +29325,22 @@ CVE-2017-16916
CVE-2017-16915
RESERVED
CVE-2017-16914 (The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) in ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.12-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/be6123df1ea8f01ee2f896a16c2b7be3e4557a5a
CVE-2017-16913 (The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) in ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.12-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/c6688ef9f29762e65bce325ef4acd6c675806366
CVE-2017-16912 (The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) in the Linux ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.12-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/635f545a7e8be7596b9b2b6a43cab6bbd5a88e43
CVE-2017-16911 (The vhci_hcd driver in the Linux Kernel before version 4.14.8 and ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.14.12-1
[stretch] - linux 4.9.80-1
NOTE: Fixed by: https://git.kernel.org/linus/2f2d0088eb93db5c649d2a5e34a3800a8a935fc5
@@ -30762,7 +30889,7 @@ CVE-2017-16527 (sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local
[jessie] - linux 3.16.51-1
NOTE: Fixed by: https://git.kernel.org/linus/124751d5e63c823092060074bd0abaae61aaa9c4
CVE-2017-16526 (drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.13.10-1
[stretch] - linux 4.9.65-1
NOTE: Fixed by: https://git.kernel.org/linus/bbf26183b7a6236ba602f4d6a2f7cade35bba043
@@ -38381,12 +38508,12 @@ CVE-2017-14016 (A Stack-based Buffer Overflow issue was discovered in Advantech
NOT-FOR-US: Advantech
CVE-2017-14015
RESERVED
-CVE-2017-14014
- RESERVED
+CVE-2017-14014 (Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded ...)
+ TODO: check
CVE-2017-14013 (A Client-Side Enforcement of Server-Side Security issue was discovered ...)
NOT-FOR-US: ProMinent MultiFLEX M10a Controller
-CVE-2017-14012
- RESERVED
+CVE-2017-14012 (Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at ...)
+ TODO: check
CVE-2017-14011 (A Cross-Site Request Forgery issue was discovered in ProMinent ...)
NOT-FOR-US: ProMinent MultiFLEX M10a Controller
CVE-2017-14010 (In SpiderControl MicroBrowser Windows XP, Vista 7, 8 and 10, Versions ...)
@@ -40319,6 +40446,7 @@ CVE-2017-13222 (An information disclosure vulnerability in the Upstream kernel k
CVE-2017-13221 (An elevation of privilege vulnerability in the Upstream kernel wifi ...)
NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline)
CVE-2017-13220 (An elevation of privilege vulnerability in the Upstream kernel bluez. ...)
+ {DSA-4187-1}
- linux 4.0.2-1
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
NOTE: https://git.kernel.org/linus/51bda2bca53b265715ca1852528f38dc67429d9a
@@ -40436,7 +40564,7 @@ CVE-2017-13168 (An elevation of privilege vulnerability in the kernel scsi drive
CVE-2017-13167 (An elevation of privilege vulnerability in the kernel sound timer. ...)
NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline)
CVE-2017-13166 (An elevation of privilege vulnerability in the kernel v4l2 video ...)
- {DSA-4120-1 DLA-1369-1}
+ {DSA-4187-1 DSA-4120-1 DLA-1369-1}
- linux 4.15.4-1
NOTE: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13166.html
NOTE: https://git.kernel.org/linus/a1dfb4c48cc1e64eeb7800a27c66a6f7e88d075a
@@ -59058,6 +59186,7 @@ CVE-2015-9018
CVE-2015-9017
RESERVED
CVE-2015-9016 (In blk_mq_tag_to_rq in blk-mq.c in the upstream kernel, there is a ...)
+ {DSA-4187-1}
- linux 4.2.3-1
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixed by: https://git.kernel.org/linus/0048b4837affd153897ed1222283492070027aa9 (4.3-rc1)
@@ -63688,6 +63817,7 @@ CVE-2017-5754 (Systems with microprocessors utilizing speculative execution and
NOTE: https://01.org/security/advisories/intel-oss-10003
- linux-grsec <removed>
CVE-2017-5753 (Systems with microprocessors utilizing speculative execution and ...)
+ {DSA-4188-1 DSA-4187-1}
- linux 4.15.11-1
- nvidia-graphics-drivers 384.111-1 (bug #886852)
[stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
@@ -63779,7 +63909,7 @@ CVE-2017-5717 (Type Confusion in Content Protection HECI Service in Intel Graphi
CVE-2017-5716
REJECTED
CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and ...)
- {DLA-1369-1}
+ {DSA-4188-1 DSA-4187-1 DLA-1369-1}
- linux 4.15.11-1
NOTE: https://spectreattack.com/
NOTE: https://xenbits.xen.org/xsa/advisory-254.html
@@ -64669,10 +64799,10 @@ CVE-2017-5540
RESERVED
CVE-2017-5539 (The patch for directory traversal (CVE-2017-5480) in b2evolution ...)
- b2evolution <removed>
-CVE-2017-5536
- RESERVED
-CVE-2017-5535
- RESERVED
+CVE-2017-5536 (The GridServer Broker, and GridServer Director components of TIBCO ...)
+ TODO: check
+CVE-2017-5535 (The GridServer Broker, GridServer Driver, and GridServer Engine ...)
+ TODO: check
CVE-2017-5534 (The tibbr user profiles components of tibbr Community, and tibbr ...)
NOT-FOR-US: tibbr
CVE-2017-5533 (A vulnerability in the server content cache of TIBCO JasperReports ...)
@@ -69305,8 +69435,8 @@ CVE-2016-10038 (Directory traversal in /connectors/index.php in MODX Revolution
NOT-FOR-US: MODX Revolution
CVE-2016-10037 (Directory traversal in /connectors/index.php in MODX Revolution before ...)
NOT-FOR-US: MODX Revolution
-CVE-2016-10036
- RESERVED
+CVE-2016-10036 (Unrestricted file upload vulnerability in ui/artifact/upload in JFrog ...)
+ TODO: check
CVE-2016-10035
RESERVED
CVE-2016-10034 (The setFrom function in the Sendmail adapter in the zend-mail ...)
@@ -77471,7 +77601,7 @@ CVE-2017-0863 (An elevation of privilege vulnerability in the Upstream kernel vi
CVE-2017-0862 (An elevation of privilege vulnerability in the Upstream kernel kernel. ...)
NOT-FOR-US: Android driver (proprietary, not part of upstream kernel)
CVE-2017-0861 (Use-after-free vulnerability in the snd_pcm_info function in the ALSA ...)
- {DLA-1369-1}
+ {DSA-4187-1 DLA-1369-1}
- linux 4.13.4-1
[stretch] - linux 4.9.80-1
NOTE: https://git.kernel.org/linus/362bca57f5d78220f8b5907b875961af9436e229
@@ -88167,7 +88297,7 @@ CVE-2016-6813 (Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call
NOT-FOR-US: Apache CloudStack
CVE-2016-6812 (The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x ...)
NOT-FOR-US: Apache CXF
-CVE-2016-6811 [Apache Hadoop Privilege escalation vulnerability]
+CVE-2016-6811 (In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn ...)
- hadoop <itp> (bug #793644)
NOTE: http://www.openwall.com/lists/oss-security/2018/05/01/2
CVE-2016-6810 (In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site ...)
@@ -169518,8 +169648,7 @@ CVE-2013-4211
NOT-FOR-US: OpenX
CVE-2013-4210 (The org.jboss.remoting.transport.socket.ServerThread class in Red Hat ...)
NOT-FOR-US: JBoss Remoting
-CVE-2013-4209 [ABRT: (substantially) limited leak of unauthorized information]
- RESERVED
+CVE-2013-4209 (Automatic Bug Reporting Tool (ABRT) before 2.1.6 allows local users to ...)
NOT-FOR-US: abrt is Red Hat / Fedora specific
CVE-2013-4208 (The rsa_verify function in PuTTY before 0.63 (1) does not clear ...)
{DSA-2736-1}
@@ -169554,8 +169683,7 @@ CVE-2013-4203 (The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg g
NOT-FOR-US: Ruby Rgpg Gem
CVE-2013-4202 (The (1) backup (api/contrib/backups.py) and (2) volume transfer ...)
- cinder 2013.1.2-4 (bug #719118)
-CVE-2013-4201 [Katello: CLI - user without access can call "system remove_deletion" command]
- RESERVED
+CVE-2013-4201 (Katello allows remote authenticated users to call the "system ...)
NOT-FOR-US: Katello
CVE-2013-4200 (The isURLInPortal method in the URLTool class in in_portal.py in Plone ...)
NOT-FOR-US: Plone
@@ -170070,8 +170198,8 @@ CVE-2013-4042 (Unspecified vulnerability in IBM SPSS Collaboration and Deploymen
NOT-FOR-US: IBM SPSS Collaboration and Deployment Services
CVE-2013-4041 (Unspecified vulnerability in IBM Java SDK 5.0.0 before SR16 FP4, 7.0.0 ...)
NOT-FOR-US: IBM JDK
-CVE-2013-4040
- RESERVED
+CVE-2013-4040 (IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2.x ...)
+ TODO: check
CVE-2013-4039 (IBM WebSphere Extended Deployment Compute Grid 8.0 before 8.0.0.3 ...)
NOT-FOR-US: IBM WebSphere
CVE-2013-4038 (The Intelligent Platform Management Interface (IPMI) implementation in ...)
@@ -170080,8 +170208,8 @@ CVE-2013-4037 (The RAKP protocol support in the Intelligent Platform Management
NOT-FOR-US: IBM BladeCenter
CVE-2013-4036 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data ...)
NOT-FOR-US: IBM
-CVE-2013-4035
- RESERVED
+CVE-2013-4035 (IBM Sterling Connect:Direct for OpenVMS 3.4.00, 3.4.01, 3.5.00, 3.6.0, ...)
+ TODO: check
CVE-2013-4034 (IBM Cognos Business Intelligence 8.4.1 before IF3, 10.1.0 before IF4, ...)
NOT-FOR-US: IBM
CVE-2013-4033 (IBM DB2 and DB2 Connect 9.7 through FP8, 9.8 through FP5, 10.1 through ...)
@@ -175184,8 +175312,7 @@ CVE-2013-2051 (The Tomcat 6 DIGEST authentication functionality as used in Red H
- tomcat7 <not-affected> (RedHat-specific issue)
CVE-2013-2050 (SQL injection vulnerability in the miq_policy controller in Red Hat ...)
NOT-FOR-US: CloudForms Management Engine
-CVE-2013-2049
- RESERVED
+CVE-2013-2049 (Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers ...)
NOT-FOR-US: CloudForms Management Engine
CVE-2013-2048 (ownCloud before 5.0.6 does not properly check permissions, which ...)
- owncloud <not-affected> (Only affects 5.0.x)
@@ -181111,8 +181238,7 @@ CVE-2013-0187 (Foreman before 1.1 allows remote authenticated users to gain ...)
CVE-2013-0186
RESERVED
NOT-FOR-US: ManageIQ EVM (CloudForms)
-CVE-2013-0185
- RESERVED
+CVE-2013-0185 (Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise ...)
NOT-FOR-US: ManageIQ EVM (CloudForms)
CVE-2013-0184 (Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x ...)
{DSA-2783-1}
@@ -181216,8 +181342,7 @@ CVE-2013-0160 (The Linux kernel through 3.7.9 allows local users to obtain sensi
- linux 3.8.12-1 (unimportant)
- linux-2.6 <removed> (unimportant)
NOTE: Minor information leak, rather a missing hardening feature than a security vulnerability.
-CVE-2013-0159
- RESERVED
+CVE-2013-0159 (The fedora-business-cards package before 1-0.1.beta1.fc17 on Fedora 17 ...)
NOT-FOR-US: Fedora build script
CVE-2013-0158 (Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before ...)
- jenkins 1.480.2+dfsg-1~exp1 (bug #697617)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f12c2f4afd4a197baee7782b5d97440f295ab299
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f12c2f4afd4a197baee7782b5d97440f295ab299
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180501/bbcc1bb8/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list