[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Thu Sep 6 21:11:26 BST 2018


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f35aabfc by security tracker role at 2018-09-06T20:11:16Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,160 @@
+CVE-2018-16617
+	RESERVED
+CVE-2018-16616
+	RESERVED
+CVE-2018-16615
+	RESERVED
+CVE-2018-16614
+	RESERVED
+CVE-2018-16613
+	RESERVED
+CVE-2018-16612
+	RESERVED
+CVE-2018-16611
+	RESERVED
+CVE-2018-16610
+	RESERVED
+CVE-2018-16609
+	RESERVED
+CVE-2018-16608
+	RESERVED
+CVE-2018-16607
+	RESERVED
+CVE-2018-16606 (In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) ...)
+	TODO: check
+CVE-2018-16605
+	RESERVED
+CVE-2018-16604 (An issue was discovered in Nibbleblog v4.0.5. With an admin's username ...)
+	TODO: check
+CVE-2018-16603
+	RESERVED
+CVE-2018-16602
+	RESERVED
+CVE-2018-16601
+	RESERVED
+CVE-2018-16600
+	RESERVED
+CVE-2018-16599
+	RESERVED
+CVE-2018-16598
+	RESERVED
+CVE-2018-16597
+	RESERVED
+CVE-2018-16596
+	RESERVED
+CVE-2018-16595
+	RESERVED
+CVE-2018-16594
+	RESERVED
+CVE-2018-16593
+	RESERVED
+CVE-2018-16592
+	RESERVED
+CVE-2018-16591
+	RESERVED
+CVE-2018-16590
+	RESERVED
+CVE-2018-16589
+	RESERVED
+CVE-2018-16588
+	RESERVED
+CVE-2018-16587
+	RESERVED
+CVE-2018-16586
+	RESERVED
+CVE-2018-16584
+	RESERVED
+CVE-2018-16583
+	RESERVED
+CVE-2018-16582
+	RESERVED
+CVE-2018-16581
+	RESERVED
+CVE-2018-16580
+	RESERVED
+CVE-2018-16579
+	RESERVED
+CVE-2018-16578
+	RESERVED
+CVE-2018-16577
+	RESERVED
+CVE-2018-16576
+	RESERVED
+CVE-2018-16575
+	RESERVED
+CVE-2018-16574
+	RESERVED
+CVE-2018-16573
+	RESERVED
+CVE-2018-16572
+	RESERVED
+CVE-2018-16571
+	RESERVED
+CVE-2018-16570
+	RESERVED
+CVE-2018-16569
+	RESERVED
+CVE-2018-16568
+	RESERVED
+CVE-2018-16567
+	RESERVED
+CVE-2018-16566
+	RESERVED
+CVE-2018-16565
+	RESERVED
+CVE-2018-16564
+	RESERVED
+CVE-2018-16563
+	RESERVED
+CVE-2018-16562
+	RESERVED
+CVE-2018-16561
+	RESERVED
+CVE-2018-16560
+	RESERVED
+CVE-2018-16559
+	RESERVED
+CVE-2018-16558
+	RESERVED
+CVE-2018-16557
+	RESERVED
+CVE-2018-16556
+	RESERVED
+CVE-2018-16555
+	RESERVED
+CVE-2018-1000801 (okular version 18.08 and earlier contains a Directory Traversal ...)
+	TODO: check
+CVE-2018-1000800 (zephyr-rtos version 1.12.0 contains a NULL base pointer reference ...)
+	TODO: check
+CVE-2018-1000773 (WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation ...)
+	TODO: check
+CVE-2018-1000673
+	REJECTED
+	TODO: check
+CVE-2018-1000671 (sympa version 6.2.16 and later contains a CWE-601: URL Redirection to ...)
+	TODO: check
+CVE-2018-1000668 (jsish version 2.4.70 2.047 contains a CWE-125: Out-of-bounds Read ...)
+	TODO: check
+CVE-2018-1000667 (NASM nasm-2.13.03 nasm- 2.14rc15 version 2.14rc15 and earlier contains ...)
+	TODO: check
+CVE-2018-1000666 (GIG Technology NV JumpScale Portal 7 version before commit ...)
+	TODO: check
+CVE-2018-1000665 (Dojo Dojo Objective Harness (DOH) version prior to version 1.14 ...)
+	TODO: check
+CVE-2018-1000664 (daneren2005 DSub for Subsonic (Android client) version 5.4.1 contains ...)
+	TODO: check
+CVE-2018-1000663 (jsish version 2.4.70 2.047 contains a Buffer Overflow vulnerability in ...)
+	TODO: check
+CVE-2018-1000661 (jsish version 2.4.67 contains a CWE-476: NULL Pointer Dereference ...)
+	TODO: check
+CVE-2018-1000660 (TOCK version prior to commit 42f7f36e74088036068d62253e1d8fb26605feed. ...)
+	TODO: check
+CVE-2018-1000659 (LimeSurvey version 3.14.4 and earlier contains a directory traversal ...)
+	TODO: check
+CVE-2018-1000658 (LimeSurvey version prior to 3.14.4 contains a file upload ...)
+	TODO: check
+CVE-2017-1000600 (WordPress version <4.9 contains a CWE-20 Input Validation ...)
+	TODO: check
 CVE-2018-16554
 	RESERVED
 CVE-2018-16553
@@ -176,8 +333,8 @@ CVE-2018-16461
 	RESERVED
 CVE-2018-16460
 	RESERVED
-CVE-2018-16459
-	RESERVED
+CVE-2018-16459 (An unescaped payload in exceljs <v1.6 allows a possible XSS via cell ...)
+	TODO: check
 CVE-2018-1000672
 	REJECTED
 CVE-2018-1000662
@@ -232,7 +389,7 @@ CVE-2018-16437 (Gxlcms 2.0 has Directory Traversal exploitable by an administrat
 CVE-2018-16436 (Gxlcms 2.0 has SQL Injection exploitable by an administrator. ...)
 	NOT-FOR-US: Gxlcms
 CVE-2018-16435 (Little CMS (aka Little Color Management System) 2.9 has an integer ...)
-	{DSA-4284-1}
+	{DSA-4284-1 DLA-1496-1}
 	- lcms2 2.9-3 (bug #907983)
 	- lcms <removed>
 	- chromium-browser 69.0.3497.81-1
@@ -1605,7 +1762,7 @@ CVE-2018-16509 (An issue was discovered in Artifex Ghostscript before 9.24. Inco
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=520bb0ea7519aa3e79db78aaf0589dae02103764
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699654
 	NOTE: Partially fixed in 9.22~dfsg-3, see #907703
-CVE-2018-16585
+CVE-2018-16585 (An issue was discovered in Artifex Ghostscript before 9.24. The ...)
 	- ghostscript <unfixed>
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=1497d65039885a52b598b137dd8622bd4672f9be
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
@@ -4493,8 +4650,8 @@ CVE-2018-14634
 	RESERVED
 CVE-2018-14633
 	RESERVED
-CVE-2018-14632
-	RESERVED
+CVE-2018-14632 (An out of bound write can occur when patching an Openshift object ...)
+	TODO: check
 CVE-2018-14631
 	RESERVED
 CVE-2018-14630
@@ -4513,8 +4670,7 @@ CVE-2018-14625 [use-after-free Read in vhost_transport_send_pkt]
 	RESERVED
 	- linux <unfixed>
 	NOTE: https://syzkaller.appspot.com/bug?extid=bd391451452fb0b93039
-CVE-2018-14624 [Server crash through modify command with large DN]
-	RESERVED
+CVE-2018-14624 (A vulnerability was discovered in 389-ds-base through versions ...)
 	- 389-ds-base <unfixed> (bug #907778)
 CVE-2018-14623
 	RESERVED
@@ -13173,8 +13329,8 @@ CVE-2018-11265
 	RESERVED
 CVE-2018-11264
 	RESERVED
-CVE-2018-11263
-	RESERVED
+CVE-2018-11263 (In all Android releases (Android for MSM, Firefox OS for MSM, QRD ...)
+	TODO: check
 CVE-2018-11262 (In Android for MSM, Firefox OS for MSM, and QRD Android with all ...)
 	NOT-FOR-US: Qualcomm components for Android
 CVE-2018-11261
@@ -21479,7 +21635,7 @@ CVE-2018-8026 (This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3
 	NOTE: https://issues.apache.org/jira/browse/SOLR-12450
 CVE-2018-8025 (CVE-2018-8025 describes an issue in Apache HBase that affects the ...)
 	NOT-FOR-US: Apache HBase
-CVE-2018-8024 (In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it’s possible  ...)
+CVE-2018-8024 (In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible  ...)
 	NOT-FOR-US: Apache Spark
 CVE-2018-8023
 	RESERVED
@@ -22937,7 +23093,7 @@ CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that le
 	[jessie] - sam2p 0.49.2-3+deb8u2
 	NOTE: https://github.com/pts/sam2p/issues/28
 CVE-2018-7550 (The load_multiboot function in hw/i386/multiboot.c in Quick Emulator ...)
-	{DSA-4213-1 DLA-1351-1 DLA-1350-1}
+	{DSA-4213-1 DLA-1497-1 DLA-1351-1 DLA-1350-1}
 	- qemu 1:2.12~rc3+dfsg-1 (bug #892041)
 	- qemu-kvm <removed>
 	NOTE: https://git.qemu.org/?p=qemu.git;a=patch;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8
@@ -28885,7 +29041,7 @@ CVE-2018-5774
 CVE-2018-5773 (An issue was discovered in markdown2 (aka python-markdown2) through ...)
 	NOT-FOR-US: python-markdown2 (not our markdown, different code base)
 CVE-2017-18043 (Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) ...)
-	{DSA-4213-1}
+	{DSA-4213-1 DLA-1497-1}
 	- qemu 1:2.10.0+dfsg-2
 	[jessie] - qemu <postponed> (Can be fixed along in a future DSA)
 	[wheezy] - qemu <not-affected> (vulnerable code not present)
@@ -29273,7 +29429,7 @@ CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ...
 	[jessie] - libav <ignored> (Minor issue)
 	NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1110
 CVE-2018-5683 (The vga_draw_text function in Qemu allows local OS guest privileged ...)
-	{DSA-4213-1}
+	{DSA-4213-1 DLA-1497-1}
 	- qemu 1:2.12~rc3+dfsg-1 (bug #887392)
 	[jessie] - qemu <postponed> (Minor issue, can be fixed along in future DSA)
 	[wheezy] - qemu <postponed> (Minor issue, can be fixed along in next DLA)
@@ -29281,6 +29437,7 @@ CVE-2018-5683 (The vga_draw_text function in Qemu allows local OS guest privileg
 	[wheezy] - qemu-kvm <postponed> (Minor issue, can be fixed along in next DLA)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg02131.html
 CVE-2017-18030 (The cirrus_invalidate_region function in hw/display/cirrus_vga.c in ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-4
 	[wheezy] - qemu 1.1.2+dfsg-6+deb7u22
 	- qemu-kvm <removed>
@@ -39796,8 +39953,8 @@ CVE-2018-1697
 	RESERVED
 CVE-2018-1696
 	RESERVED
-CVE-2018-1695
-	RESERVED
+CVE-2018-1695 (IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations ...)
+	TODO: check
 CVE-2018-1694
 	RESERVED
 CVE-2018-1693
@@ -46251,7 +46408,7 @@ CVE-2017-16847 (Zoho ManageEngine Applications Manager 13 before build 13530 all
 CVE-2017-16846 (Zoho ManageEngine Applications Manager 13 before build 13530 allows ...)
 	NOT-FOR-US: Zoho ManageEngine Applications Manager
 CVE-2017-16845 (hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values ...)
-	{DSA-4213-1}
+	{DSA-4213-1 DLA-1497-1}
 	- qemu 1:2.12~rc3+dfsg-1 (bug #882136)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <postponed> (Can be fixed along in a future update)
@@ -50781,7 +50938,7 @@ CVE-2017-15590 (An issue was discovered in Xen through 4.9.x allowing x86 guest
 	[wheezy] - xen <no-dsa> (Patches too intrusive to backport)
 	NOTE: https://xenbits.xen.org/xsa/advisory-237.html
 CVE-2017-15289 (The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow ...)
-	{DSA-4213-1}
+	{DSA-4213-1 DLA-1497-1}
 	- qemu 1:2.11+dfsg-1 (bug #880832)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <postponed> (Can be fixed along in a future update)
@@ -51678,7 +51835,7 @@ CVE-2017-15040
 CVE-2017-15039 (Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 via a ...)
 	NOT-FOR-US: Zurmo
 CVE-2017-15038 (Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU ...)
-	{DSA-4213-1 DLA-1129-1 DLA-1128-1}
+	{DSA-4213-1 DLA-1497-1 DLA-1129-1 DLA-1128-1}
 	- qemu 1:2.10.0+dfsg-2 (bug #877890)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -54366,7 +54523,7 @@ CVE-2017-14169 (In the mxf_read_primer_pack function in libavformat/mxfdec.c in
 CVE-2017-14168
 	RESERVED
 CVE-2017-14167 (Integer overflow in the load_multiboot function in hw/i386/multiboot.c ...)
-	{DSA-3991-1 DLA-1129-1 DLA-1128-1}
+	{DSA-3991-1 DLA-1497-1 DLA-1129-1 DLA-1128-1}
 	- qemu 1:2.10.0-1 (bug #874606)
 	- qemu-kvm <removed>
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html
@@ -62578,7 +62735,7 @@ CVE-2017-11436 (D-Link DIR-615 before v20.12PTb04 has a second admin account wit
 CVE-2017-11435 (The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an ...)
 	NOT-FOR-US: Humax Wi-Fi Router model HG100R-*
 CVE-2017-11434 (The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) ...)
-	{DSA-3925-1 DLA-1071-1 DLA-1070-1}
+	{DSA-3925-1 DLA-1497-1 DLA-1071-1 DLA-1070-1}
 	- qemu 1:2.8+dfsg-7 (bug #869171)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html
@@ -64529,7 +64686,7 @@ CVE-2017-10809
 CVE-2017-10808
 	RESERVED
 CVE-2017-10806 (Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick ...)
-	{DSA-3925-1}
+	{DSA-3925-1 DLA-1497-1}
 	- qemu 1:2.8+dfsg-7 (bug #867751)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue)
@@ -67370,7 +67527,7 @@ CVE-2017-10912 (Xen through 4.8.x mishandles page transfer, which allows guest O
 	- xen 4.8.1-1+deb9u3
 	NOTE: https://xenbits.xen.org/xsa/advisory-217.html
 CVE-2017-10911 (The make_response function in drivers/block/xen-blkback/blkback.c in ...)
-	{DSA-3945-1 DSA-3927-1 DSA-3920-1 DLA-1099-1}
+	{DSA-3945-1 DSA-3927-1 DSA-3920-1 DLA-1497-1 DLA-1099-1}
 	- linux 4.11.11-1
 	- qemu 1:2.8+dfsg-7 (bug #869706)
 	[wheezy] - qemu <no-dsa> (Wheezy's xen uses an embedded qemu copy)
@@ -68186,6 +68343,7 @@ CVE-2017-9505 (Atlassian Confluence starting with 4.3.0 before 6.2.1 did not che
 CVE-2017-9504
 	REJECTED
 CVE-2017-9503 (QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host ...)
+	{DLA-1497-1}
 	- qemu 1:2.10.0-1 (bug #865754)
 	[stretch] - qemu <no-dsa> (Minor issue, can be included in future update)
 	[jessie] - qemu <no-dsa> (Minor issue)
@@ -68599,7 +68757,7 @@ CVE-2017-9375 (QEMU (aka Quick Emulator), when built with USB xHCI controller ..
 	[wheezy] - qemu-kvm <not-affected> (vulnerable code not present)
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=96d87bdda3919bb16f754b3d3fd1227e1f38f13c
 CVE-2017-9374 (Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI ...)
-	{DSA-3920-1}
+	{DSA-3920-1 DLA-1497-1}
 	- qemu 1:2.8+dfsg-7 (bug #864568)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue)
@@ -68607,7 +68765,7 @@ CVE-2017-9374 (Memory leak in QEMU (aka Quick Emulator), when built with USB EHC
 	[wheezy] - qemu-kvm <no-dsa> (Minor issue)
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d710e1e7bd3d5bfc26b631f02ae87901ebe646b0
 CVE-2017-9373 (Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI ...)
-	{DSA-3920-1}
+	{DSA-3920-1 DLA-1497-1}
 	- qemu 1:2.8+dfsg-7 (bug #864216)
 	[wheezy] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -68785,7 +68943,7 @@ CVE-2017-9334 (An incorrect "pair?" check in the Scheme "length&q
 	NOTE: Original announcement: http://lists.nongnu.org/archive/html/chicken-announce/2017-05/msg00000.html
 	NOTE: Patch: http://lists.nongnu.org/archive/html/chicken-hackers/2017-05/msg00099.html
 CVE-2017-9330 (QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI ...)
-	{DSA-3920-1}
+	{DSA-3920-1 DLA-1497-1}
 	- qemu 1:2.8+dfsg-7 (bug #863943)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <not-affected> (Vulnerable code no present)
@@ -71704,6 +71862,7 @@ CVE-2017-8380 (Buffer overflow in the "megasas_mmio_write" function in
 	NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=e23d04984a78490d8aaa5c45724a3a334933331f (v2.2.0-rc0)
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f
 CVE-2017-8379 (Memory leak in the keyboard input event handlers support in QEMU (aka ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-5 (bug #862289)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue)
@@ -71970,7 +72129,7 @@ CVE-2017-8310 (Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.
 	[wheezy] - vlc <end-of-life> (Not supported in wheezy LTS)
 	NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328
 CVE-2017-8309 (Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows ...)
-	{DLA-1071-1 DLA-1070-1}
+	{DLA-1497-1 DLA-1071-1 DLA-1070-1}
 	- qemu 1:2.8+dfsg-5 (bug #862280)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -72408,6 +72567,7 @@ CVE-2017-8114 (Roundcube Webmail allows arbitrary password resets by authenticat
 CVE-2017-8113
 	RESERVED
 CVE-2017-8112 (hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-5 (bug #861351)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <not-affected> (Vulnerable code not present)
@@ -72478,7 +72638,7 @@ CVE-2017-8088
 CVE-2017-8087
 	RESERVED
 CVE-2017-8086 (Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in ...)
-	{DLA-1035-1 DLA-965-1}
+	{DLA-1497-1 DLA-1035-1 DLA-965-1}
 	- qemu 1:2.8+dfsg-5 (bug #861348)
 	- qemu-kvm <removed>
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4ffcdef4277a91af15a3c09f7d16af072c29f3f2 (v2.9.0-rc4)
@@ -72799,7 +72959,7 @@ CVE-2017-7982 (Integer overflow in the plist_from_bin function in bplist.c in ..
 CVE-2017-7981 (Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 ...)
 	NOT-FOR-US: Enalean Tuleap
 CVE-2017-7980 (Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick ...)
-	{DLA-1035-1 DLA-939-1}
+	{DLA-1497-1 DLA-1035-1 DLA-939-1}
 	- qemu 1:2.8+dfsg-4
 	- qemu-kvm <removed>
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=026aeffcb4752054830ba203020ed6eb05bcaba8
@@ -73924,7 +74084,7 @@ CVE-2017-7720 (Buffer overflow in PrivateTunnel 2.7 and 2.8 allows local attacke
 CVE-2017-7719 (SQL injection in the Spider Event Calendar (aka spider-event-calendar) ...)
 	NOT-FOR-US: Spider Event Calendar
 CVE-2017-7718 (hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local ...)
-	{DLA-1035-1 DLA-939-1}
+	{DLA-1497-1 DLA-1035-1 DLA-939-1}
 	- qemu 1:2.8+dfsg-4
 	- qemu-kvm <removed>
 	NOTE: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=215902d7b6fb50c6fc216fc74f770858278ed904
@@ -74792,7 +74952,7 @@ CVE-2017-7494 (Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is
 	- samba 2:4.5.8+dfsg-2
 	NOTE: https://www.samba.org/samba/security/CVE-2017-7494.html
 CVE-2017-7493 (Quick Emulator (Qemu) built with the VirtFS, host directory sharing ...)
-	{DLA-1035-1 DLA-965-1}
+	{DLA-1497-1 DLA-1035-1 DLA-965-1}
 	- qemu 1:2.8+dfsg-6
 	- qemu-kvm <removed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1451709
@@ -75233,7 +75393,7 @@ CVE-2017-7378 (The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in
 	NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/1
 	NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1847
 CVE-2017-7377 (The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in ...)
-	{DLA-1035-1 DLA-965-1}
+	{DLA-1497-1 DLA-1035-1 DLA-965-1}
 	- qemu 1:2.8+dfsg-4 (bug #859854)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -77784,7 +77944,7 @@ CVE-2017-6508 (CRLF injection vulnerability in the url_parse function in url.c i
 CVE-2017-6506 (In Azure Data Expert Ultimate 2.2.16, the SMTP verification function ...)
 	NOT-FOR-US: Azure Data Expert Ultimate
 CVE-2017-6505 (The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka ...)
-	{DLA-1071-1 DLA-1070-1}
+	{DLA-1497-1 DLA-1071-1 DLA-1070-1}
 	- qemu 1:2.8+dfsg-4 (bug #856969)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -79474,6 +79634,7 @@ CVE-2017-5989
 CVE-2017-5988 (NetApp Clustered Data ONTAP 8.1 through 9.1P1, when NFS or SMB is ...)
 	NOT-FOR-US: NetApp
 CVE-2017-5987 (The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-3 (bug #855159)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
@@ -79552,7 +79713,7 @@ CVE-2017-5974 (Heap-based buffer overflow in the __zzip_get32 function in fetch.
 	- zziplib 0.13.62-3.1 (bug #854727)
 	NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get32-fetch-c/
 CVE-2017-5973 (The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick ...)
-	{DLA-845-1 DLA-842-1}
+	{DLA-1497-1 DLA-845-1 DLA-842-1}
 	- qemu 1:2.8+dfsg-3 (bug #855611)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -80286,7 +80447,7 @@ CVE-2017-5717 (Type Confusion in Content Protection HECI Service in Intel Graphi
 CVE-2017-5716
 	REJECTED
 CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and ...)
-	{DSA-4213-1 DSA-4188-1 DSA-4187-1 DLA-1422-1 DLA-1369-1}
+	{DSA-4213-1 DSA-4188-1 DSA-4187-1 DLA-1497-1 DLA-1422-1 DLA-1369-1}
 	- linux 4.15.11-1
 	- intel-microcode 3.20180425.1
 	[stretch] - intel-microcode 3.20180425.1~deb9u1
@@ -80539,6 +80700,7 @@ CVE-2017-5857 (Memory leak in the virgl_cmd_resource_unref function in ...)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1418382
 	NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/21
 CVE-2017-5856 (Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-3 (bug #853996)
 	[jessie] - qemu <no-dsa> (Minor issue; can be fixed in future DSA or point release)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
@@ -80850,6 +81012,7 @@ CVE-2016-10174 (The NETGEAR WNR2000v5 router contains a buffer overflow in the .
 CVE-2004-2778 (Ebuild in Gentoo may change directory and file permissions depending ...)
 	NOT-FOR-US: Gentoo ebuilds dir permissions at install time
 CVE-2017-5667 (The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-3 (bug #853996)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
@@ -81087,6 +81250,7 @@ CVE-2017-5580 (The parse_instruction function in gallium/auxiliary/tgsi/tgsi_tex
 	NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=28894a30a17a84529be102b21118e55d6c9f23fa (0.6.0)
 	NOTE: https://lists.freedesktop.org/archives/virglrenderer-devel/2017-January/000105.html
 CVE-2017-5579 (Memory leak in the serial_exit_core function in hw/char/serial.c in ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-3 (bug #853002)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue)
@@ -81269,6 +81433,7 @@ CVE-2017-5613 (Format string vulnerability in cgiemail and cgiecho allows remote
 	- cgiemail <removed> (bug #852031)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
 CVE-2016-10155 (Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-2 (low; bug #852232)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue)
@@ -81364,6 +81529,7 @@ CVE-2017-5537 (The password reset form in Weblate before 2.10.1 provides differe
 	- weblate <itp> (bug #745661)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/01/18/11
 CVE-2017-5526 (Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-2 (bug #851910)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue)
@@ -81374,6 +81540,7 @@ CVE-2017-5526 (Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) all
 	NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da
 	NOTE: Sound device hotplug not supported by libvirt
 CVE-2017-5525 (Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-2 (bug #852021)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue)
@@ -86569,7 +86736,7 @@ CVE-2016-9923 (Quick Emulator (Qemu) built with the 'chardev' backend support is
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg05597.html
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=a4afa548fc6dd9842ed86639b4d37d4d1c4ad480 (v2.8.0-rc0)
 CVE-2016-9922 (The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka ...)
-	{DLA-765-1 DLA-764-1}
+	{DLA-1497-1 DLA-765-1 DLA-764-1}
 	- qemu 1:2.8+dfsg-1 (bug #847960)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -86579,7 +86746,7 @@ CVE-2016-9922 (The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (a
 	NOTE: CVE for the "blit pitch values" issue.
 	NOTE: Should be fixed along with CVE-2014-8106
 CVE-2016-9921 (Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator ...)
-	{DLA-765-1 DLA-764-1}
+	{DLA-1497-1 DLA-765-1 DLA-764-1}
 	- qemu 1:2.8+dfsg-1 (bug #847960)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -88036,6 +88203,7 @@ CVE-2016-9912 (Quick Emulator (Qemu) built with the Virtio GPU Device emulator .
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/12
 CVE-2016-9916 (Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-1 (bug #847496)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue, virtfs-proxy-helper not present)
@@ -88046,6 +88214,7 @@ CVE-2016-9916 (Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) al
 	NOTE: Proxy filesystem driver introduced in: http://git.qemu.org/?p=qemu.git;a=commit;h=4c793dda22213a7aba8e4d9a814e8f368a5f8bf7 (v1.0-rc0)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11
 CVE-2016-9915 (Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-1 (bug #847496)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (handle driver not included during compilation)
@@ -88057,6 +88226,7 @@ CVE-2016-9915 (Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) a
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11
 	NOTE: proxy driver not included during compilation in wheezy, see debian-lts ML: https://lists.debian.org/debian-lts/2016/12/msg00136.html
 CVE-2016-9914 (Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-1 (bug #847496)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (proxy and handle drivers not included during compilation)
@@ -88076,13 +88246,14 @@ CVE-2016-9913 (Memory leak in the v9fs_device_unrealize_common function in ...)
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4774718e5c194026ba5ee7a28d9be49be3080e42 (v2.8.0-rc2)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11
 CVE-2016-9911 (Quick Emulator (Qemu) built with the USB EHCI Emulation support is ...)
-	{DLA-765-1 DLA-764-1}
+	{DLA-1497-1 DLA-765-1 DLA-764-1}
 	- qemu 1:2.8+dfsg-1 (bug #847951)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=791f97758e223de3290592d169f (v2.8.0-rc0)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/10
 CVE-2016-9907 (Quick Emulator (Qemu) built with the USB redirector usb-guest support ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-1 (bug #847953)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
@@ -89946,7 +90117,7 @@ CVE-2017-2621 (An access-control flaw was found in the OpenStack Orchestration (
 	- heat <not-affected> (heat-common postinst chmod's 0750 /var/log/heat)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420990
 CVE-2017-2620 (Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA ...)
-	{DLA-1270-1 DLA-845-1 DLA-842-1}
+	{DLA-1497-1 DLA-1270-1 DLA-845-1 DLA-842-1}
 	- qemu 1:2.8+dfsg-3 (bug #855791)
 	- qemu-kvm <removed>
 	- xen 4.4.0-1
@@ -89974,7 +90145,7 @@ CVE-2017-2616 (A race condition was found in util-linux before 2.32.1 in the way
 	NOTE: Coreutils: Removed from source in https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=928dd737
 	NOTE: and not installed by default since 2007.
 CVE-2017-2615 (Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator ...)
-	{DLA-845-1 DLA-842-1}
+	{DLA-1497-1 DLA-845-1 DLA-842-1}
 	- qemu 1:2.8+dfsg-3 (low; bug #854731)
 	NOTE: Introduced with: http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0 (which was the fix for CVE-2014-8106)
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64
@@ -94957,6 +95128,7 @@ CVE-2016-9777 (KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled,
 	NOTE: Introduced in: https://git.kernel.org/linus/af1bae5497b98cb99d6b0492e6981f060420a00c (v4.8-rc1)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/02/2
 CVE-2016-9776 (QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-1 (bug #846797)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue)
@@ -95402,7 +95574,7 @@ CVE-2016-9604 (It was discovered in the Linux kernel before 4.11-rc8 that root c
 	[jessie] - linux 3.16.43-1
 	NOTE: Fixed by: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
 CVE-2016-9603 (A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA ...)
-	{DLA-1270-1 DLA-1035-1 DLA-939-1}
+	{DLA-1497-1 DLA-1270-1 DLA-1035-1 DLA-939-1}
 	- qemu 1:2.8+dfsg-4 (bug #857744)
 	- qemu-kvm <removed>
 	- xen 4.4.0-1
@@ -95411,7 +95583,7 @@ CVE-2016-9603 (A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx
 	NOTE: http://www.openwall.com/lists/oss-security/2017/03/14/2
 	NOTE: Upstream patch http://git.qemu-project.org/?p=qemu.git;a=commit;h=50628d3479e4f9aa97e323506856e394fe7ad7a6
 CVE-2016-9602 (Qemu before version 2.9 is vulnerable to an improper link following ...)
-	{DLA-1035-1 DLA-965-1}
+	{DLA-1497-1 DLA-1035-1 DLA-965-1}
 	- qemu 1:2.8+dfsg-3 (bug #853006)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -98669,7 +98841,7 @@ CVE-2016-8671 (The pstm_exptmod function in MatrixSSL 3.8.6 and earlier does not
 	- matrixssl <not-affected> (Incomplete fix for CVE-2016-6887 not applied)
 	NOTE: https://blog.fuzzing-project.org/54-Update-on-MatrixSSL-miscalculation-incomplete-fix-for-CVE-2016-6887.html
 CVE-2016-8669 (The serial_update_parameters function in hw/char/serial.c in QEMU (aka ...)
-	{DLA-679-1 DLA-678-1}
+	{DLA-1497-1 DLA-679-1 DLA-678-1}
 	- qemu 1:2.8+dfsg-1 (bug #840945)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -98684,6 +98856,7 @@ CVE-2016-8668 (The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02501.html
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1384896
 CVE-2016-8667 (The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick ...)
+	{DLA-1497-1}
 	- qemu 1:2.8+dfsg-4 (bug #840950)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (minor issue)
@@ -99283,7 +99456,7 @@ CVE-2016-8577 (Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (ak
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07127.html
 	NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=e95c9a493a5a8d6f969e86c9f19f80ffe6587e19
 CVE-2016-8576 (The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick ...)
-	{DLA-679-1 DLA-678-1}
+	{DLA-1497-1 DLA-679-1 DLA-678-1}
 	- qemu 1:2.8+dfsg-1 (bug #840343)
 	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
@@ -104852,6 +105025,7 @@ CVE-2016-10051 (Use-after-free vulnerability in the ReadPWPImage function in ...
 	NOTE: https://github.com/ImageMagick/ImageMagick/commit/ecc03a2518c2b7dd375fde3a040fdae0bdf6a521
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3
 CVE-2016-6833 (Use-after-free vulnerability in the vmxnet3_io_bar0_write function in ...)
+	{DLA-1497-1}
 	- qemu 1:2.6+dfsg-3.1 (bug #834904)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present, vmxnet3 introduced in 1.5)
 	- qemu-kvm <removed>
@@ -104869,6 +105043,7 @@ CVE-2016-6834 (The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.
 	NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01601.html
 	NOTE: http://www.openwall.com/lists/oss-security/2016/08/11/8
 CVE-2016-6835 (The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in ...)
+	{DLA-1497-1}
 	- qemu 1:2.6+dfsg-3.1 (bug #835031)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present, vmxnet3 introduced in 1.5)
 	- qemu-kvm <removed>
@@ -120323,6 +120498,7 @@ CVE-2016-3197
 CVE-2016-2092
 	RESERVED
 CVE-2016-2198 (QEMU (aka Quick Emulator) built with the USB EHCI emulation support is ...)
+	{DLA-1497-1}
 	- qemu 1:2.6+dfsg-1 (bug #813193)
 	[jessie] - qemu <no-dsa> (Minor issue; Can be fixed along with a future DSA)
 	[wheezy] - qemu <not-affected> (Introduced after v1.2.0)
@@ -124030,6 +124206,7 @@ CVE-2015-8665 (tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause
 	NOTE: http://www.openwall.com/lists/oss-security/2015/12/24/2
 	NOTE: https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
 CVE-2015-8666 (Heap-based buffer overflow in QEMU, when built with the ...)
+	{DLA-1497-1}
 	- qemu 1:2.5+dfsg-1
 	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue)
@@ -227470,7 +227647,7 @@ CVE-2011-0706 (The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in
 	{DSA-2224-1}
 	- openjdk-6 6b18-1.8.7-1
 CVE-2011-0705 [path traversal in SimpleHTTPServer]
-	RESERVED
+	REJECTED
 	NOTE: Will be rejected
 CVE-2011-0704 (389 Directory Server 1.2.7.5, when built with mozldap, allows remote ...)
 	NOT-FOR-US: 389 Directory Server



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f35aabfc260177f9f7d20b81537d5cb63885a01e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f35aabfc260177f9f7d20b81537d5cb63885a01e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180906/2a9686cd/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list