Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 2c32a71a by security tracker role at 2018-04-30T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,29 @@ +CVE-2018-10573 (interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote ...) + TODO: check +CVE-2018-10572 (interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote ...) + TODO: check +CVE-2018-10571 (Multiple reflected cross-site scripting (XSS) vulnerabilities in ...) + TODO: check +CVE-2018-10570 (Frog CMS 0.9.5 has XSS in /install/index.php via the ...) + TODO: check +CVE-2018-10569 + RESERVED +CVE-2018-10568 + RESERVED +CVE-2018-10567 + RESERVED +CVE-2018-10566 + RESERVED +CVE-2018-10565 + RESERVED +CVE-2018-10564 + RESERVED +CVE-2018-10563 + RESERVED +CVE-2018-10562 + RESERVED +CVE-2018-10561 + RESERVED CVE-2018-10560 RESERVED CVE-2018-10559 @@ -305,8 +331,8 @@ CVE-2018-10434 RESERVED CVE-2018-10433 RESERVED -CVE-2017-18262 - RESERVED +CVE-2017-18262 (Blackboard Learn (Since at least 17th of October 2017) has allowed ...) + TODO: check CVE-2018-10471 (An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS ...) - xen <unfixed> NOTE: https://xenbits.xen.org/xsa/advisory-259.html @@ -916,6 +942,7 @@ CVE-2018-10182 RESERVED CVE-2018-1000199 RESERVED + {DLA-1369-1} CVE-2018-10181 RESERVED CVE-2018-10180 @@ -2857,8 +2884,8 @@ CVE-2018-1000152 (An improper authorization vulnerability exists in Jenkins vSph NOT-FOR-US: Jenkins plugin CVE-2018-1000153 (A cross-site request forgery vulnerability exists in Jenkins vSphere ...) NOT-FOR-US: Jenkins plugin -CVE-2018-9310 - RESERVED +CVE-2018-9310 (An issue was discovered in MagniComp SysInfo before 10-H81 if setuid ...) + TODO: check CVE-2018-9309 (An issue was discovered in zzcms 8.2. It allows SQL injection via the ...) NOT-FOR-US: zzcms CVE-2018-9308 @@ -4087,8 +4114,8 @@ CVE-2018-8841 RESERVED CVE-2018-8840 (A remote attacker could send a carefully crafted packet in InduSoft ...) NOT-FOR-US: InduSoft -CVE-2018-8839 - RESERVED +CVE-2018-8839 (Delta PMSoft versions 2.10 and prior have multiple stack-based buffer ...) + TODO: check CVE-2018-8838 (A weakness in access controls in CENTUM CS 1000 all versions, CENTUM ...) NOT-FOR-US: CENTUM CVE-2018-8837 (Processing specially crafted .pm3 files in Advantech WebAccess HMI ...) @@ -4131,6 +4158,7 @@ CVE-2018-8824 CVE-2018-8823 (modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu ...) NOT-FOR-US: Responsive Mega Menu Pro module for PrestaShop CVE-2018-8822 (Incorrect buffer length handling in the ncp_read_kernel function in ...) + {DLA-1369-1} - linux 4.15.17-1 CVE-2018-1000135 (GNOME NetworkManager version 1.10.2 and earlier contains a Information ...) - network-manager <unfixed> (bug #895658) @@ -4246,6 +4274,7 @@ CVE-2018-8783 CVE-2018-8782 RESERVED CVE-2018-8781 (The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux ...) + {DLA-1369-1} - linux 4.15.17-1 NOTE: https://patchwork.freedesktop.org/patch/211845/ NOTE: Fixed by: https://git.kernel.org/linus/3b82a4db8eaccce735dffd50b4d4e1578099b8e8 @@ -6278,8 +6307,8 @@ CVE-2018-7903 RESERVED CVE-2018-7902 RESERVED -CVE-2018-7901 - RESERVED +CVE-2018-7901 (RCS module in Huawei ALP-AL00B smart phones with software versions ...) + TODO: check CVE-2018-7900 RESERVED CVE-2018-7899 (The Mali Driver of Huawei Berkeley-AL20 and Berkeley-BD smart phones ...) @@ -6298,9 +6327,10 @@ CVE-2018-7893 (CMS Made Simple (CMSMS) 2.2.6 has stored XSS in ...) NOT-FOR-US: CMS Made Simple CVE-2018-7892 RESERVED -CVE-2018-7891 - RESERVED +CVE-2018-7891 (The Milestone XProtect Video Management Software (Corporate, Expert, ...) + TODO: check CVE-2018-7995 (** DISPUTED ** Race condition in the store_int_with_restart() function ...) + {DLA-1369-1} - linux 4.15.11-1 NOTE: https://lkml.org/lkml/2018/3/2/970 CVE-2018-7890 (A remote code execution issue was discovered in Zoho ManageEngine ...) @@ -6615,6 +6645,7 @@ CVE-2018-7759 (A buffer overflow vulnerability exists in Schneider Electric's Mo CVE-2018-7758 (A denial of service vulnerability exists in Schneider Electric's MiCOM ...) NOT-FOR-US: Schneider CVE-2018-7757 (Memory leak in the sas_smp_get_phy_events function in ...) + {DLA-1369-1} - linux 4.15.17-1 NOTE: Fixed by: https://git.kernel.org/linus/4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 (4.16-rc1) CVE-2017-18222 (In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does ...) @@ -6682,6 +6713,7 @@ CVE-2018-1000117 (Python Software Foundation CPython version From 3.2 until 3.6. NOTE: http://hg.python.org/lookup/6921e73e33edc3c61bc2d78ed558eaa22a89a564 NOTE: https://bugs.python.org/issue33001 CVE-2018-7740 (The resv_map_release function in mm/hugetlb.c in the Linux kernel ...) + {DLA-1369-1} - linux 4.15.17-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199037 CVE-2018-7739 (antsle antman before 0.9.1a allows remote attackers to bypass ...) @@ -6910,6 +6942,7 @@ CVE-2017-18218 (In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux ke CVE-2017-18217 (An issue was discovered in InvoicePlane before 1.5.5. It was observed ...) NOT-FOR-US: InvoicePlane CVE-2017-18216 (In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, ...) + {DLA-1369-1} - linux 4.15.4-1 NOTE: Fixed by: https://git.kernel.org/linus/853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 CVE-2017-18215 (xvpng.c in xv 3.10a has memory corruption (out-of-bounds write) when ...) @@ -7314,6 +7347,7 @@ CVE-2018-7567 (** DISPUTED ** In the Admin Package Manager in Open Ticket Reques NOTE: installed which is not verified by the OTRS Group. Responsiblity of the NOTE: respective admin to check packages before installation. CVE-2018-7566 (The Linux kernel 4.15 has a Buffer Overflow via an ...) + {DLA-1369-1} - linux 4.15.11-1 NOTE: Fixed by: https://git.kernel.org/linus/d15d662e89fc667b90cd294b0eb45694e33144da CVE-2018-7565 (CSRF exists on Polycom QDX 6000 devices. ...) @@ -7549,6 +7583,7 @@ CVE-2017-18204 (The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kerne [wheezy] - linux <not-affected> (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 CVE-2017-18203 (The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel ...) + {DLA-1369-1} - linux 4.14.7-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/b9a41d21dceadf8104812626ef85dc56ee8a60ed @@ -7559,6 +7594,7 @@ CVE-2017-18202 (The __oom_reap_task_mm function in mm/oom_kill.c in the Linux ke [wheezy] - linux <not-affected> (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/687cb0884a714ff484d038e9190edc874edcf146 CVE-2018-7492 (A NULL pointer dereference was found in the net/rds/rdma.c ...) + {DLA-1369-1} - linux 4.14.7-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/f3069c6d33f6ae63a1668737bc78aaaa51bff7ca @@ -9373,6 +9409,7 @@ CVE-2015-9252 (An issue was discovered in QPDF before 7.0.0. Endless recursion c NOTE: https://github.com/qpdf/qpdf/commit/701b518d5c56a1449825a3a37a716c58e05e1c3e NOTE: https://github.com/qpdf/qpdf/issues/51 CVE-2018-6927 (The futex_requeue function in kernel/futex.c in the Linux kernel before ...) + {DLA-1369-1} - linux 4.14.17-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a @@ -12837,6 +12874,7 @@ CVE-2018-5804 RESERVED CVE-2018-5803 [Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service] RESERVED + {DLA-1369-1} - linux 4.15.11-1 NOTE: Fixed by: https://git.kernel.org/linus/07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c CVE-2018-5802 [Out-of-bounds read in kodak_radc_load_raw function internal/dcraw_common.cpp] @@ -13057,7 +13095,7 @@ CVE-2017-18034 (The source browse resource in Atlassian FishEye and Crucible bef CVE-2017-18033 (The Jira-importers-plugin in Atlassian Jira before version 7.6.1 ...) NOT-FOR-US: Jira-importers-plugin in Atlassian Jira CVE-2018-5750 (The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux ...) - {DSA-4120-1} + {DSA-4120-1 DLA-1369-1} - linux 4.15.4-1 NOTE: https://patchwork.kernel.org/patch/10174835/ CVE-2018-5749 (install.php in Minecraft Servers List Lite before commit c1cd164 and ...) @@ -14062,6 +14100,7 @@ CVE-2018-5347 (Seagate Media Server in Seagate Personal Cloud has unauthenticate CVE-2018-5346 RESERVED CVE-2018-1000004 (In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a ...) + {DLA-1369-1} - linux 4.14.17-1 [stretch] - linux 4.9.80-1 CVE-2018-1000001 (In glibc 2.26 and earlier there is confusion in the usage of getcwd() ...) @@ -14117,10 +14156,12 @@ CVE-2018-5334 (In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave f NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14297 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=dc308c05ba0673460fe80873b22d296880ee996d CVE-2018-5333 (In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in ...) + {DLA-1369-1} - linux 4.14.17-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/7d11f77f84b27cef452cee332f4e469503084737 CVE-2018-5332 (In the Linux kernel through 4.14.13, the rds_message_alloc_sgs() ...) + {DLA-1369-1} - linux 4.14.17-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/c095508770aebf1b9218e77026e48345d719b17c @@ -14419,8 +14460,8 @@ CVE-2018-5236 RESERVED CVE-2018-5235 RESERVED -CVE-2018-5234 - RESERVED +CVE-2018-5234 (The Norton Core router prior to v237 may be susceptible to a command ...) + TODO: check CVE-2017-18022 (In ImageMagick 7.0.7-12 Q16, there are memory leaks in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/904 @@ -17708,6 +17749,7 @@ CVE-2018-3818 (Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripti CVE-2018-3817 (When logging warnings regarding deprecated settings, Logstash before ...) - logstash <itp> (bug #664841) CVE-2017-18017 (The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the ...) + {DLA-1369-1} - linux 4.11.6-1 [stretch] - linux 4.9.47-1 NOTE: Fixed by: https://git.kernel.org/linus/2638fd0f92d4397884fd991d8f4925cb3f081901 @@ -18157,7 +18199,7 @@ CVE-2018-3730 RESERVED CVE-2018-3729 RESERVED -CVE-2018-3728 (hoek node module before 5.0.3 suffers from a Modification of ...) +CVE-2018-3728 (hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of ...) - node-hoek <unfixed> (unimportant) NOTE: fixed in 4.2.1 NOTE: https://github.com/hapijs/hoek/issues/230 @@ -23979,8 +24021,8 @@ CVE-2018-1432 RESERVED CVE-2018-1431 RESERVED -CVE-2018-1430 - RESERVED +CVE-2018-1430 (IBM API Connect 5.0.0.0 through 5.0.8.2 is vulnerable to cross-site ...) + TODO: check CVE-2018-1429 (IBM MQ Appliance 9.0.1, 9.0.2, 9.0.3, amd 9.0.4 is vulnerable to ...) NOT-FOR-US: IBM CVE-2018-1428 (IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and ...) @@ -24061,8 +24103,8 @@ CVE-2018-1391 (IBM Financial Transaction Manager 3.0.4 and 3.1.0 for ACH Service NOT-FOR-US: IBM Financial Transaction Manager CVE-2018-1390 (IBM Financial Transaction Manager for Check Services for ...) NOT-FOR-US: IBM -CVE-2018-1389 - RESERVED +CVE-2018-1389 (IBM API Connect 5.0.0.0 through 5.0.8.2 is impacted by generated ...) + TODO: check CVE-2018-1388 (GSKit V7 may disclose side channel information via discrepancies ...) NOT-FOR-US: IBM WebSphere MQ CVE-2018-1387 (IBM Application Performance Management for Monitoring & Diagnostics ...) @@ -25656,8 +25698,7 @@ CVE-2018-1104 RESERVED CVE-2018-1103 RESERVED -CVE-2018-1102 - RESERVED +CVE-2018-1102 (A flaw was found in source-to-image function as shipped with Openshift ...) NOT-FOR-US: source-to-image in OpenShift CVE-2018-1101 RESERVED @@ -25700,6 +25741,7 @@ CVE-2018-1093 (The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the L - linux 4.15.17-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199181 CVE-2018-1092 (The ext4_iget function in fs/ext4/inode.c in the Linux kernel through ...) + {DLA-1369-1} - linux 4.15.17-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199179 NOTE: Fixed by: https://git.kernel.org/linus/8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 @@ -25788,6 +25830,7 @@ CVE-2018-1070 CVE-2018-1069 (Red Hat OpenShift Enterprise version 3.7 is vulnerable to access ...) NOT-FOR-US: OpenShift CVE-2018-1068 (A flaw was found in the Linux 4.x kernel's implementation of 32-bit ...) + {DLA-1369-1} - linux 4.15.11-1 NOTE: https://git.kernel.org/linus/b71812168571fa55e44cdd0254471331b9c4c4c6 NOTE: Unprivileged user namespaces are disabled in Debian, this only affects @@ -26084,16 +26127,16 @@ CVE-2017-17320 (Huawei Mate 9 Pro smartphones with software of LON-AL00BC00B139D NOT-FOR-US: Huawei CVE-2017-17319 (Huawei P9 smartphones with the versions before EVA-AL10C00B399SP02 ...) NOT-FOR-US: Huawei -CVE-2017-17318 - RESERVED +CVE-2017-17318 (Huawei MBB (Mobile Broadband) products E5771h-937 with the versions ...) + TODO: check CVE-2017-17317 RESERVED CVE-2017-17316 RESERVED CVE-2017-17315 RESERVED -CVE-2017-17314 - RESERVED +CVE-2017-17314 (Huawei DP300 V500R002C00, RP200 V600R006C00, TE30 V100R001C10, ...) + TODO: check CVE-2017-17313 (The inputhub driver of HUAWEI P9 Lite mobile phones with Versions ...) NOT-FOR-US: inputhub driver of HUAWEI P9 Lite mobile phones CVE-2017-17312 @@ -27410,8 +27453,8 @@ CVE-2018-0713 RESERVED CVE-2018-0712 RESERVED -CVE-2018-0711 - RESERVED +CVE-2018-0711 (Cross-site scripting (XSS) vulnerability in QNAP QTS 4.3.3 build ...) + TODO: check CVE-2018-0710 RESERVED CVE-2018-0709 @@ -29095,18 +29138,22 @@ CVE-2017-16916 CVE-2017-16915 RESERVED CVE-2017-16914 (The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) in ...) + {DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/be6123df1ea8f01ee2f896a16c2b7be3e4557a5a CVE-2017-16913 (The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) in ...) + {DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/c6688ef9f29762e65bce325ef4acd6c675806366 CVE-2017-16912 (The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) in the Linux ...) + {DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/635f545a7e8be7596b9b2b6a43cab6bbd5a88e43 CVE-2017-16911 (The vhci_hcd driver in the Linux Kernel before version 4.14.8 and ...) + {DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 @@ -30654,6 +30701,7 @@ CVE-2017-16527 (sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/124751d5e63c823092060074bd0abaae61aaa9c4 CVE-2017-16526 (drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users ...) + {DLA-1369-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/bbf26183b7a6236ba602f4d6a2f7cade35bba043 @@ -40325,7 +40373,7 @@ CVE-2017-13168 (An elevation of privilege vulnerability in the kernel scsi drive CVE-2017-13167 (An elevation of privilege vulnerability in the kernel sound timer. ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13166 (An elevation of privilege vulnerability in the kernel v4l2 video ...) - {DSA-4120-1} + {DSA-4120-1 DLA-1369-1} - linux 4.15.4-1 NOTE: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13166.html NOTE: https://git.kernel.org/linus/a1dfb4c48cc1e64eeb7800a27c66a6f7e88d075a @@ -51089,10 +51137,10 @@ CVE-2017-9660 (A Heap-Based Buffer Overflow was discovered in Fuji Electric Moni NOT-FOR-US: Fuji Electric Monitouch V-SFT CVE-2017-9659 (A Stack-Based Buffer Overflow issue was discovered in Fuji Electric ...) NOT-FOR-US: Fuji Electric Monitouch V-SFT -CVE-2017-9658 - RESERVED -CVE-2017-9657 - RESERVED +CVE-2017-9658 (Certain 802.11 network management messages have been determined to ...) + TODO: check +CVE-2017-9657 (Under specific 802.11 network conditions, a partial re-association of ...) + TODO: check CVE-2017-9656 (The backend database of the Philips DoseWise Portal application ...) NOT-FOR-US: Philips DoseWise Portal CVE-2017-9655 (A Cross-Site Scripting issue was discovered in OSIsoft PI Integrator ...) @@ -63666,6 +63714,7 @@ CVE-2017-5717 (Type Confusion in Content Protection HECI Service in Intel Graphi CVE-2017-5716 REJECTED CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and ...) + {DLA-1369-1} - linux 4.15.11-1 NOTE: https://spectreattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html @@ -73546,8 +73595,7 @@ CVE-2017-2592 [CatchErrors leaks sensitive values in oslo.middleware] RESERVED - python-oslo.middleware 3.19.0-3 (bug #852742) NOTE: https://launchpad.net/bugs/1628031 -CVE-2017-2591 [DoS via OOB heap read in "attribute uniqueness" plugin] - RESERVED +CVE-2017-2591 (389-ds-base before version 1.3.6 is vulnerable to an improperly NULL ...) - 389-ds-base 1.3.5.15-2 (bug #851769) [jessie] - 389-ds-base <not-affected> (Only affects 1.3.4.0 and later) NOTE: https://fedorahosted.org/389/changeset/ffda694dd622b31277da07be76d3469fad86150f/ @@ -77355,6 +77403,7 @@ CVE-2017-0863 (An elevation of privilege vulnerability in the Upstream kernel vi CVE-2017-0862 (An elevation of privilege vulnerability in the Upstream kernel kernel. ...) NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0861 (Use-after-free vulnerability in the snd_pcm_info function in the ALSA ...) + {DLA-1369-1} - linux 4.13.4-1 [stretch] - linux 4.9.80-1 NOTE: https://git.kernel.org/linus/362bca57f5d78220f8b5907b875961af9436e229 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c32a71a724f3a5d1116393812c2dc9f2b67f214 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c32a71a724f3a5d1116393812c2dc9f2b67f214 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits