Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a9ed6023 by security tracker role at 2018-04-16T20:10:27+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,29 @@
+CVE-2018-10137 (iScripts UberforX 2.2 has CSRF in the 
"manage_settings" section of the ...)
+       TODO: check
+CVE-2018-10136 (iScripts UberforX 2.2 has Stored XSS in the 
"manage_settings" section ...)
+       TODO: check
+CVE-2018-10135 (iScripts eSwap v2.4 has Reflected XSS via the 
"catwiseproducts.php" ...)
+       TODO: check
+CVE-2018-10134
+       RESERVED
+CVE-2018-10133 (PbootCMS v0.9.8 allows PHP code injection via an IF label in 
...)
+       TODO: check
+CVE-2018-10132 (PbootCMS v0.9.8 has CSRF via an ...)
+       TODO: check
+CVE-2018-10131
+       RESERVED
+CVE-2018-10130
+       RESERVED
+CVE-2018-10129
+       RESERVED
+CVE-2018-10128 (An issue was discovered in XYHCMS 3.5. It has XSS via the test 
...)
+       TODO: check
+CVE-2018-10127 (An issue was discovered in XYHCMS 3.5. It has CSRF via an ...)
+       TODO: check
+CVE-2018-10126
+       RESERVED
+CVE-2018-10125
+       RESERVED
 CVE-2018-10123
        RESERVED
 CVE-2018-10122 (QingDao Nature Easy Soft Chanzhi Enterprise Portal System (aka 
...)
@@ -91,7 +117,7 @@ CVE-2018-10089
        RESERVED
 CVE-2018-10088
        RESERVED
-CVE-2018-10124 [kernel/signal.c: avoid undefined behaviour in 
kill_something_info]
+CVE-2018-10124 (The kill_something_info function in kernel/signal.c in the 
Linux kernel ...)
        - linux 4.13.4-1
        NOTE: Fixed by: 
https://git.kernel.org/linus/4ea77014af0d6205b05503d1c7aac6eace11d473 (4.13-rc1)
 CVE-2018-10087 (The kernel_wait4 function in kernel/exit.c in the Linux kernel 
before ...)
@@ -235,7 +261,7 @@ CVE-2018-10023 (Catfish CMS V4.7.21 allows XSS via the 
pinglun parameter to ...)
        NOT-FOR-US: Catfish CMS
 CVE-2018-10022
        RESERVED
-CVE-2018-10021 (drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 
4.16 ...)
+CVE-2018-10021 (** DISPUTED ** drivers/scsi/libsas/sas_scsi_host.c in the 
Linux kernel ...)
        - linux <unfixed>
        NOTE: Fixed by: 
https://git.kernel.org/linus/318aaf34f1179b39fa9c30fa0f3288b645beee39 (4.16-rc7)
        NOTE: Low security impact, failure can only occur for physically
@@ -12625,8 +12651,7 @@ CVE-2018-5384
        RESERVED
 CVE-2018-5383
        RESERVED
-CVE-2018-5382 [BKS-V1 keystore files vulnerable to trivial hash collisions]
-       RESERVED
+CVE-2018-5382 (Bouncy Castle BKS version 1 keystore (BKS-V1) files use an HMAC 
that ...)
        - bouncycastle 1.48+dfsg-2
        [wheezy] - bouncycastle <ignored> (this only affects the integrity 
verification and not the content of the BKS keystore)
        NOTE: 
https://insights.sei.cmu.edu/cert/2018/03/the-curious-case-of-the-bouncy-castle-bks-passwords.html
@@ -16281,14 +16306,14 @@ CVE-2018-3851
        RESERVED
 CVE-2018-3850
        RESERVED
-CVE-2018-3849
-       RESERVED
-CVE-2018-3848
-       RESERVED
+CVE-2018-3849 (In the ffghtb function in NASA CFITSIO 3.42, specially crafted 
images ...)
+       TODO: check
+CVE-2018-3848 (In the ffghbn function in NASA CFITSIO 3.42, specially crafted 
images ...)
+       TODO: check
 CVE-2018-3847
        RESERVED
-CVE-2018-3846
-       RESERVED
+CVE-2018-3846 (In the ffgphd and ffgtkn functions in NASA CFITSIO 3.42, 
specially ...)
+       TODO: check
 CVE-2018-3845
        RESERVED
 CVE-2018-3844
@@ -25741,8 +25766,7 @@ CVE-2018-0739 (Constructed ASN.1 types with a recursive 
definition (such as can 
        NOTE: OpenSSL_1_0_2-stable: 
https://git.openssl.org/?p=openssl.git;a=commit;h=9310d45087ae546e27e61ddf8f6367f29848220d
 CVE-2018-0738
        RESERVED
-CVE-2018-0737 [Cache timing vulnerability in RSA Key Generation]
-       RESERVED
+CVE-2018-0737 (The OpenSSL RSA Key generation algorithm has been shown to be 
...)
        - openssl <unfixed> (low; bug #895844)
        [stretch] - openssl <postponed> (Can wait for next DSA and upstream 
release)
        [jessie] - openssl <postponed> (Can wait for next DSA and upstream 
release)
@@ -26241,12 +26265,12 @@ CVE-2018-0564
        RESERVED
 CVE-2018-0563
        RESERVED
-CVE-2018-0562
-       RESERVED
-CVE-2018-0561
-       RESERVED
-CVE-2018-0560
-       RESERVED
+CVE-2018-0562 (Untrusted search path vulnerability in Installer of SoundEngine 
Free ...)
+       TODO: check
+CVE-2018-0561 (Untrusted search path vulnerability in The installer of 
PhishWall ...)
+       TODO: check
+CVE-2018-0560 (Hatena Bookmark App for iOS Version 3.0 to 3.70 allows remote 
...)
+       TODO: check
 CVE-2018-0559
        RESERVED
 CVE-2018-0558
@@ -26263,14 +26287,14 @@ CVE-2018-0553 (The iRemoconWiFi App for Android 
version 4.1.7 and earlier does n
        NOT-FOR-US: iRemoconWiFi App for Android
 CVE-2018-0552 (Untrusted search path vulnerability in The installer of 
PhishWall ...)
        NOT-FOR-US: installer of PhishWall Client (Firefox and Chrome edition 
for Windows)
-CVE-2018-0551
-       RESERVED
-CVE-2018-0550
-       RESERVED
-CVE-2018-0549
-       RESERVED
-CVE-2018-0548
-       RESERVED
+CVE-2018-0551 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 
4.6.1 ...)
+       TODO: check
+CVE-2018-0550 (Cybozu Garoon 3.5.0 to 4.6.1 allows remote authenticated 
attackers to ...)
+       TODO: check
+CVE-2018-0549 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 
4.6.0 ...)
+       TODO: check
+CVE-2018-0548 (Cybozu Garoon 4.0.0 to 4.6.0 allows remote authenticated 
attackers to ...)
+       TODO: check
 CVE-2018-0547 (Cross-site scripting vulnerability in WP All Import plugin 
prior to ...)
        NOT-FOR-US: WP All Import plugin for WordPress
 CVE-2018-0546 (Cross-site scripting vulnerability in WP All Import plugin 
prior to ...)
@@ -26299,14 +26323,14 @@ CVE-2018-0535 (Cross-site scripting vulnerability in 
PHP 2chBBS version bbs18c a
        NOT-FOR-US: PHP 2chBBS
 CVE-2018-0534 (Cross-site scripting vulnerability in ArsenoL Version 0.5 
allows an ...)
        NOT-FOR-US: ArsenoL
-CVE-2018-0533
-       RESERVED
-CVE-2018-0532
-       RESERVED
-CVE-2018-0531
-       RESERVED
-CVE-2018-0530
-       RESERVED
+CVE-2018-0533 (Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated 
attackers to ...)
+       TODO: check
+CVE-2018-0532 (Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated 
attackers to ...)
+       TODO: check
+CVE-2018-0531 (Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated 
attackers to ...)
+       TODO: check
+CVE-2018-0530 (SQL injection vulnerability in the Cybozu Garoon 3.5.0 to 4.2.6 
allows ...)
+       TODO: check
 CVE-2018-0529
        RESERVED
 CVE-2018-0528
@@ -42448,9 +42472,11 @@ CVE-2017-12113 (An exploitable improper authorization 
vulnerability exists in ..
 CVE-2017-12112 (An exploitable improper authorization vulnerability exists in 
...)
        - cpp-ethereum <itp> (bug #860434)
 CVE-2017-12111 (An exploitable out-of-bounds vulnerability exists in the 
xls_addCell ...)
+       {DSA-4173-1}
        - r-cran-readxl 1.0.0-2 (bug #895564)
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0463
 CVE-2017-12110 (An exploitable integer overflow vulnerability exists in the 
...)
+       {DSA-4173-1}
        - r-cran-readxl 1.0.0-2 (bug #895564)
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0462
 CVE-2017-12109
@@ -48594,8 +48620,7 @@ CVE-2017-10142 (Vulnerability in the Oracle Hospitality 
Reporting and Analytics 
        NOT-FOR-US: Oracle
 CVE-2017-10141 (Vulnerability in the Oracle Outside In Technology component of 
Oracle ...)
        NOT-FOR-US: Oracle
-CVE-2017-10140 [Berkeley DB reads DB_CONFIG from cwd]
-       RESERVED
+CVE-2017-10140 (Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 
3.1.6, and ...)
        {DLA-1137-1 DLA-1136-1 DLA-1135-1}
        - db5.3 5.3.28-13.1 (bug #872436)
        [stretch] - db5.3 5.3.28-12+deb9u1
@@ -60378,8 +60403,8 @@ CVE-2017-6325 (The Symantec Messaging Gateway can 
encounter a file inclusion ...
        NOT-FOR-US: Symantec
 CVE-2017-6324 (The Symantec Messaging Gateway, when processing a specific 
email ...)
        NOT-FOR-US: Symantec
-CVE-2017-6323
-       RESERVED
+CVE-2017-6323 (The Symantec Management Console prior to ITMS 8.1 RU1, ITMS ...)
+       TODO: check
 CVE-2017-6322
        RESERVED
 CVE-2017-XXXX [scanelf: out of bounds read in scanelf_file_get_symtabs 
(scanelf.c)]
@@ -71018,6 +71043,7 @@ CVE-2017-2921 (An exploitable memory corruption 
vulnerability exists in the Webs
 CVE-2017-2920 (An memory corruption vulnerability exists in the .SVG parsing 
...)
        NOT-FOR-US: Computerinsel Photoline
 CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists 
in the ...)
+       {DSA-4173-1}
        - r-cran-readxl 1.0.0-2 (bug #895564)
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426
 CVE-2017-2918
@@ -71066,9 +71092,11 @@ CVE-2017-2899
 CVE-2017-2898 (An exploitable vulnerability exists in the signature 
verification of ...)
        NOT-FOR-US: Circle with Disney
 CVE-2017-2897 (An exploitable out-of-bounds write vulnerability exists in the 
...)
+       {DSA-4173-1}
        - r-cran-readxl 1.0.0-2 (bug #895564)
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404
 CVE-2017-2896 (An exploitable out-of-bounds write vulnerability exists in the 
...)
+       {DSA-4173-1}
        - r-cran-readxl 1.0.0-2 (bug #895564)
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403
 CVE-2017-2895 (An exploitable arbitrary memory read vulnerability exists in 
the MQTT ...)
@@ -77386,11 +77414,9 @@ CVE-2016-9594
        RESERVED
        - curl <not-affected> (Only affects 7.52.0)
        NOTE: https://curl.haxx.se/docs/adv_20161223.html
-CVE-2016-9593
-       RESERVED
+CVE-2016-9593 (foreman-debug before version 1.15.0 is vulnerable to a flaw in 
...)
        - foreman <itp> (bug #663101)
-CVE-2016-9592
-       RESERVED
+CVE-2016-9592 (openshift before versions 3.3.1.11, 3.2.1.23, 3.4 is vulnerable 
to a ...)
        NOT-FOR-US: OpenShift
 CVE-2016-9591 (JasPer before version 2.0.12 is vulnerable to a use-after-free 
in the ...)
        {DSA-3827-1 DLA-920-1}
@@ -79339,10 +79365,10 @@ CVE-2016-9096
        REJECTED
 CVE-2016-9095
        REJECTED
-CVE-2016-9094
-       RESERVED
-CVE-2016-9093
-       RESERVED
+CVE-2016-9094 (Symantec Endpoint Protection clients place detected malware in 
...)
+       TODO: check
+CVE-2016-9093 (A version of the SymEvent Driver that shipped with Symantec 
Endpoint ...)
+       TODO: check
 CVE-2016-9092
        REJECTED
 CVE-2016-9091 (Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and 
Content ...)
@@ -128274,8 +128300,8 @@ CVE-2015-1954 (Stack-based buffer overflow in the 
server in IBM Tivoli Storage .
        NOT-FOR-US: IBM
 CVE-2015-1953 (Stack-based buffer overflow in the server in IBM Tivoli Storage 
...)
        NOT-FOR-US: IBM
-CVE-2015-1952
-       RESERVED
+CVE-2015-1952 (Cross-site scripting (XSS) vulnerability in IBM AppScan 
Enterprise ...)
+       TODO: check
 CVE-2015-1951 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 
7.5.0.8 ...)
        NOT-FOR-US: IBM
 CVE-2015-1950 (IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not 
require ...)
@@ -130071,6 +130097,7 @@ CVE-2015-1419 (Unspecified vulnerability in vsftpd 
3.0.2 and earlier allows remo
 CVE-2015-1418 (The do_ed_script function in pch.c in GNU patch through 2.7.6, 
and ...)
        NOT-FOR-US: patch as used in FreeBSD specifically
 CVE-2018-1000156 (GNU Patch version 2.7.6 contains an input validation 
vulnerability ...)
+       {DLA-1348-1}
        - patch 2.7.6-2 (bug #894993)
        [stretch] - patch <no-dsa> (Can be fixed via point release)
        [jessie] - patch <no-dsa> (Can be fixed via point release)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a9ed6023fd14a27c9655b2534e555172e72e9413

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a9ed6023fd14a27c9655b2534e555172e72e9413
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to