[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff
jmm at debian.org
Thu Jul 4 16:24:02 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2401bbab by Moritz Muehlenhoff at 2019-07-04T15:23:40Z
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -42436,7 +42436,7 @@ CVE-2018-16838 (A flaw was found in sssd Group Policy Objects implementation. Wh
NOTE: GPO based access control introduced in https://github.com/SSSD/sssd/commit/60cab26b12
NOTE: seems to presuppose configuration mistake: if sssd is not given enough permissions
NOTE: to read GPO, access is systematically granted instead of denied
- TODO: check, Bugzilla entry does not provide details
+ NOTE: https://pagure.io/SSSD/sssd/c/ad058011b6b75b15c674be46a3ae9b3cc5228175
CVE-2018-16837 (Ansible "User" module leaks any data which is passed on as a parameter ...)
{DSA-4396-1 DLA-1576-1}
- ansible 2.7.1+dfsg-1 (bug #912297)
@@ -44000,9 +44000,9 @@ CVE-2018-16251 (A "search for user discovery" injection issue exists in Creatiwi
CVE-2018-16250 (The "utilisateur" menu in Creatiwity wityCMS 0.6.2 modifies the presen ...)
NOT-FOR-US: Creatiwity wityCMS
CVE-2018-16249 (In Symphony before 3.3.0, there is XSS in the Title under Post. The ID ...)
- TODO: check
+ NOT-FOR-US: b3log
CVE-2018-16248 (b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles ...)
- TODO: check
+ NOT-FOR-US: b3log
CVE-2018-16247 (YzmCMS 5.1 has XSS via the admin/system_manage/user_config_add.html ti ...)
NOT-FOR-US: YzmCMS
CVE-2018-16246
@@ -66964,7 +66964,9 @@ CVE-2018-7579 (\application\admin\controller\update_urls.class.php in YzmCMS 3.6
CVE-2018-7578
RESERVED
CVE-2018-7577 (Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Go ...)
- TODO: check
+ - snappy <undetermined>
+ NOTE: https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md
+ NOTE: There are no useful details, could just as well be a misuse of snappy by Tensorflow
CVE-2018-7576 (Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Deref ...)
- tensorflow <itp> (bug #804612)
CVE-2018-7575 (Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow v ...)
@@ -78301,7 +78303,7 @@ CVE-2017-1000501 (Awstats version 7.6 and earlier is vulnerable to a path traver
NOTE: https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899
NOTE: https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651
CVE-2017-17972 (packages/subjects/pub/subjects.php in Archon 3.21 rev-1 has XSS in the ...)
- TODO: check
+ NOT-FOR-US: Archon
CVE-2017-17971 (The test_sql_and_script_inject function in htdocs/main.inc.php in Doli ...)
- dolibarr <removed> (bug #885828)
NOTE: https://github.com/Dolibarr/dolibarr/issues/8000
@@ -98126,9 +98128,9 @@ CVE-2017-14397 (AnyDesk before 3.6.1 on Windows has a DLL injection vulnerabilit
CVE-2017-14396 (In osTicket before 1.10.1, SQL injection is possible by constructing a ...)
NOT-FOR-US: osTicket
CVE-2017-14395 (Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) ...)
- TODO: check
+ NOT-FOR-US: OpenAM
CVE-2017-14394 (OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) ...)
- TODO: check
+ NOT-FOR-US: OpenAM
CVE-2017-14393
REJECTED
CVE-2017-14392
@@ -100120,7 +100122,7 @@ CVE-2017-13720 (In the PatternMatch function in fontfile/fontdir.c in libXfont t
NOTE: Fixed by: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608
NOTE: libxfont1 is only used by xfonts-utils, no security impact
CVE-2017-13719 (The Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-13718 (The HTTP API supported by Starry Station (aka Starry Router) allows br ...)
NOT-FOR-US: Starry Station
CVE-2017-13717 (Starry Station (aka Starry Router) sets the Access-Control-Allow-Origi ...)
@@ -103108,7 +103110,7 @@ CVE-2017-12780 (The ReadData function in ebmlstring.c in libebml2 through 2012-0
CVE-2017-12779 (The Node_GetData function in corec/corec/node/node.c in mkvalidator 0. ...)
NOT-FOR-US: libembl2 (different codebase than src:libebml)
CVE-2017-12778 (** DISPUTED ** The UI Lock feature in qBittorrent version 3.3.15 is vu ...)
- TODO: check
+ NOT-FOR-US: qBittorrent non issue
CVE-2017-1000112 (Linux kernel: Exploitable memory corruption due to UFO to non-UFO path ...)
{DSA-3981-1}
- linux 4.12.6-1 (low)
@@ -106549,9 +106551,9 @@ CVE-2017-11581 (dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Log
CVE-2017-11580 (Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory c ...)
NOT-FOR-US: Blipcare Wifi blood pressure monitor BP700 10.1 devices
CVE-2017-11579 (In the most recent firmware for Blipcare, the device provides an open ...)
- TODO: check
+ NOT-FOR-US: Blipcare
CVE-2017-11578 (It was discovered as a part of the research on IoT devices in the most ...)
- TODO: check
+ NOT-FOR-US: Blipcare
CVE-2017-11577 (FontForge 20161012 is vulnerable to a buffer over-read in getsid (pars ...)
{DSA-3958-1 DLA-1065-1}
- fontforge 1:20170731~dfsg-1 (bug #869614)
@@ -113203,11 +113205,11 @@ CVE-2017-9329
CVE-2017-9328 (Shell metacharacter injection vulnerability in /usr/www/include/ajax/G ...)
NOT-FOR-US: TerraMaster TOS
CVE-2017-9327 (Secret data of processes managed by CM is not secured by file permissi ...)
- TODO: check
+ NOT-FOR-US: Cloudera
CVE-2017-9326 (The keystore password for the Spark History Server may be exposed in u ...)
- TODO: check
+ NOT-FOR-US: Cloudera
CVE-2017-9325 (The provided secure solrconfig.xml sample configuration does not enfor ...)
- TODO: check
+ NOT-FOR-US: Cloudera
CVE-2017-9334 (An incorrect "pair?" check in the Scheme "length" procedure results in ...)
- chicken 4.12.0-0.2 (low; bug #863884)
[stretch] - chicken <no-dsa> (Minor issue)
@@ -116600,15 +116602,15 @@ CVE-2017-8232
CVE-2017-8231
RESERVED
CVE-2017-8230 (On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the users on th ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8229 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenti ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8228 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle reboots w ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8227 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout poli ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8226 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default creden ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8283 (dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU pat ...)
- dpkg 1.18.24 (unimportant)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/20/2
@@ -121271,7 +121273,7 @@ CVE-2017-6902
CVE-2017-6901
RESERVED
CVE-2017-6900 (An issue was discovered in Riello NetMan 204 14-2 and 15-2. The issue ...)
- TODO: check
+ NOT-FOR-US: Riello NetMan
CVE-2017-6899 (The msm_bus_dbg_update_request_write function in drivers/platform/msm/ ...)
NOT-FOR-US: android_kernel_huawei_msm8916 in LineageOS (and other kernels for MSM devices)
CVE-2017-6898
@@ -123382,7 +123384,7 @@ CVE-2017-6218
CVE-2017-6217
RESERVED
CVE-2017-6216 (novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable to a ref ...)
- TODO: check
+ NOT-FOR-US: novaksolutions/infusionsoft-php-sdk
CVE-2017-6215 (paypal/permissions-sdk-php is vulnerable to reflected XSS in the sampl ...)
NOT-FOR-US: PayPal permissions-sdk-php
CVE-2017-6213 (paypal/invoice-sdk-php is vulnerable to reflected XSS in samples/permi ...)
@@ -184800,7 +184802,7 @@ CVE-2015-3908 (Ansible before 1.9.2 does not verify that the server hostname mat
[jessie] - ansible <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2015/07/14/4
CVE-2015-3907 (CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE ...)
- TODO: check
+ NOT-FOR-US: CodeIgniter Rest Server
CVE-2015-3906 (The logcat_dump_text function in wiretap/logcat.c in the Android Logca ...)
{DSA-3277-1}
- wireshark 1.12.5+g5819e5b-1
@@ -192754,7 +192756,7 @@ CVE-2015-1344 (The do_write_pids function in lxcfs.c in LXCFS before 0.12 does n
- lxcfs <not-affected> (Fixed before initial upload to the archive)
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1512854
CVE-2015-1343 (All versions of unity-scope-gdrive logs search terms to syslog. ...)
- TODO: check
+ NOT-FOR-US: unity-scope-gdrive
CVE-2015-1342 (LXCFS before 0.12 does not properly enforce directory escapes, which m ...)
- lxcfs <not-affected> (Fixed before initial upload to the archive)
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1508481
@@ -192818,7 +192820,7 @@ CVE-2015-1328 (The overlayfs implementation in the linux (aka Linux kernel) pack
NOTE: https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html
NOTE: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549
CVE-2015-1327 (Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS API only ...)
- TODO: check
+ NOT-FOR-US: Content Hub
CVE-2015-1326 (python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call ...)
- python-dbusmock 0.15.1-1 (bug #786858)
[jessie] - python-dbusmock 0.11.4-1+deb8u1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2401bbab68c229ff92867646f02bec9d9536c247
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2401bbab68c229ff92867646f02bec9d9536c247
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190704/b3d17fd9/attachment.html>
More information about the debian-security-tracker-commits
mailing list