Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4a684226 by security tracker role at 2018-06-01T08:10:27+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,35 @@
+CVE-2018-11644
+ RESERVED
+CVE-2018-11643
+ RESERVED
+CVE-2018-11642
+ RESERVED
+CVE-2018-11641
+ RESERVED
+CVE-2018-11640
+ RESERVED
+CVE-2018-11639
+ RESERVED
+CVE-2018-11638
+ RESERVED
+CVE-2018-11637
+ RESERVED
+CVE-2018-11636
+ RESERVED
+CVE-2018-11635
+ RESERVED
+CVE-2018-11634
+ RESERVED
+CVE-2018-11633 (An issue was discovered in the MULTIDOTS Woo Checkout for
Digital Goods ...)
+ TODO: check
+CVE-2018-11632 (An issue was discovered in the MULTIDOTS Add Social Share
Messenger ...)
+ TODO: check
+CVE-2018-11631 (Rondaful M1 Wristband Smart Band 1 devices allow remote
attackers to ...)
+ TODO: check
+CVE-2018-11630
+ RESERVED
+CVE-2018-11629
+ RESERVED
CVE-2018-11628
RESERVED
CVE-2018-11627 (Sinatra before 2.0.2 has XSS via the 400 Bad Request page that
occurs ...)
@@ -126,7 +158,7 @@ CVE-2018-11569
RESERVED
CVE-2018-11568 (Reflected XSS is possible in the GamePlan theme through
1.5.13.2 for ...)
NOT-FOR-US: GamePlan theme for WordPress
-CVE-2018-11567 (Prior to 2018-04-27, the reprompt feature in Amazon Echo
devices could ...)
+CVE-2018-11567 (** DISPUTED ** Prior to 2018-04-27, the reprompt feature in
Amazon ...)
NOT-FOR-US: Amazon Echo devices
CVE-2018-11566
RESERVED
@@ -1722,6 +1754,7 @@ CVE-2018-10942
(modules/attributewizardpro/file_upload.php in the Attribute Wiza
CVE-2018-10941
RESERVED
CVE-2018-10940 (The cdrom_ioctl_media_changed function in
drivers/cdrom/cdrom.c in the ...)
+ {DLA-1392-1}
- linux 4.16.12-1
NOTE: Fixed by:
https://git.kernel.org/linus/9de4ee40547fd315d4a0ed1dd15a2fa3559ad707
CVE-2018-10939 (Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8
before ...)
@@ -3081,8 +3114,7 @@ CVE-2018-10380 (kwallet-pam in KDE KWallet before 5.12.6
allows local users to o
NOTE:
https://commits.kde.org/kwallet-pam/01d4143fda5bddb6dca37b23304dc239a5fb38b5
(Plasma 5.12)
NOTE:
https://commits.kde.org/kwallet-pam/99abc7fde21f40cc6da5feb6ee766cc46fcca1f8
(Plasma 5.8)
NOTE:
https://commits.kde.org/kwallet-pam/802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b
(Plasma 5.8)
-CVE-2018-10379 [Persistent XSS in 'Move Issue' using project namespace]
- RESERVED
+CVE-2018-10379 (An issue was discovered in GitLab Community Edition (CE) and
Enterprise ...)
- gitlab 10.6.5+dfsg-1
[stretch] - gitlab <not-affected> (Vulnerable code introduced in 9.5)
NOTE:
https://about.gitlab.com/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released/
@@ -5987,8 +6019,8 @@ CVE-2018-9188
RESERVED
CVE-2018-9187
RESERVED
-CVE-2018-9186
- RESERVED
+CVE-2018-9186 (A cross-site scripting (XSS) vulnerability in Fortinet ...)
+ TODO: check
CVE-2018-9185
RESERVED
CVE-2018-9184
@@ -6734,7 +6766,7 @@ CVE-2018-8899 (IdentityServer IdentityServer4 1.x before
1.5.3 and 2.x before 2.
CVE-2018-8898 (A flaw in the authentication mechanism in the Login Panel of
router ...)
NOT-FOR-US: D-Link
CVE-2018-8897 (A statement in the System Programming Guide of the Intel 64 and
IA-32 ...)
- {DSA-4201-1 DSA-4196-1 DLA-1383-1}
+ {DSA-4201-1 DSA-4196-1 DLA-1392-1 DLA-1383-1}
- linux 4.15.17-1
NOTE: Fixed by:
https://git.kernel.org/linus/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 (4.16-rc7)
- xen <unfixed>
@@ -13371,8 +13403,8 @@ CVE-2018-6554
RESERVED
CVE-2018-6553
RESERVED
-CVE-2018-6552
- RESERVED
+CVE-2018-6552 (Apport does not properly handle crashes originating from a PID
...)
+ TODO: check
CVE-2018-6551 (The malloc implementation in the GNU C Library (aka glibc or
libc6), ...)
[experimental] - glibc 2.26.9000+20180127.7e23a7dd-0experimental0
- glibc 2.27-1
@@ -15905,6 +15937,7 @@ CVE-2018-5785 (In OpenJPEG 2.3.0, there is an integer
overflow caused by an ...)
- openjpeg2 <unfixed> (low; bug #888533)
NOTE: https://github.com/uclouvain/openjpeg/issues/1057
CVE-2018-5784 (In LibTIFF 4.0.9, there is an uncontrolled resource consumption
in the ...)
+ {DLA-1391-1}
- tiff 4.0.9-4 (bug #890441)
[stretch] - tiff <postponed> (Minor issue, revisit once fixed upstream)
[jessie] - tiff <postponed> (Minor issue, revisit once fixed upstream)
@@ -27002,8 +27035,8 @@ CVE-2018-1534
RESERVED
CVE-2018-1533
RESERVED
-CVE-2018-1532
- RESERVED
+CVE-2018-1532 (IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly
update the ...)
+ TODO: check
CVE-2018-1531
RESERVED
CVE-2018-1530
@@ -27074,8 +27107,8 @@ CVE-2018-1498
RESERVED
CVE-2018-1497
RESERVED
-CVE-2018-1496
- RESERVED
+CVE-2018-1496 (IBM Content Navigator 2.0.3, 3.0.0, 3.0.1, 3.0.2, and 3.0.3 is
...)
+ TODO: check
CVE-2018-1495 (IBM FlashSystem V840 and V900 products could allow an
authenticated ...)
NOT-FOR-US: IBM
CVE-2018-1494
@@ -28811,6 +28844,7 @@ CVE-2018-1132
CVE-2018-1131 (Infinispan permits improper deserialization of trusted data via
XML ...)
NOT-FOR-US: infinispan
CVE-2018-1130 (Linux kernel before version 4.16-rc7 is vulnerable to a null
pointer ...)
+ {DLA-1392-1}
- linux 4.15.17-1
NOTE: Fixed by:
https://git.kernel.org/linus/67f93df79aeefc3add4e4b31a752600f834236e2
CVE-2018-1129
@@ -28978,7 +29012,7 @@ CVE-2018-1094 (The ext4_fill_super function in
fs/ext4/super.c in the Linux kern
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199183
CVE-2018-1093 (The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the
Linux ...)
- {DSA-4188-1}
+ {DSA-4188-1 DLA-1392-1}
- linux 4.15.17-1
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199181
CVE-2018-1092 (The ext4_iget function in fs/ext4/inode.c in the Linux kernel
through ...)
@@ -35459,117 +35493,116 @@ CVE-2016-10574
RESERVED
CVE-2016-10573 (baryton-saxophone is a module to install and launch Selenium
Server ...)
TODO: check
-CVE-2016-10572
- RESERVED
-CVE-2016-10571
- RESERVED
+CVE-2016-10572 (mongodb-instance before 0.0.3 installs mongodb locally. ...)
+ TODO: check
+CVE-2016-10571 (bkjs-wand is imagemagick wand support for node.js and
backendjs ...)
+ TODO: check
CVE-2016-10570 (pngcrush-installer is an installer for Pngcrush.
pngcrush-installer ...)
TODO: check
-CVE-2016-10569
- RESERVED
+CVE-2016-10569 (embedza is a module to create HTML snippets/embeds from URLs
using ...)
+ TODO: check
CVE-2016-10568 (geoip-lite-country is a stripped down version of geoip-lite,
...)
TODO: check
CVE-2016-10567 (product-monitor is a HTML/JavaScript template for monitoring a
product ...)
TODO: check
CVE-2016-10566 (install-nw is a module which quickly and robustly installs and
caches ...)
TODO: check
-CVE-2016-10565
- RESERVED
-CVE-2016-10564
- RESERVED
-CVE-2016-10563
- RESERVED
-CVE-2016-10562
- RESERVED
-CVE-2016-10561
- RESERVED
-CVE-2016-10560
- RESERVED
+CVE-2016-10565 (operadriver is a Opera Driver for Selenium. operadriver
versions below ...)
+ TODO: check
+CVE-2016-10564 (apk-parser is a tool to extract Android Manifest info from an
APK ...)
+ TODO: check
+CVE-2016-10563 (During the installation process, the go-ipfs-deps module
before 0.4.4 ...)
+ TODO: check
+CVE-2016-10562 (iedriver is an NPM wrapper for Selenium IEDriver. iedriver
versions ...)
+ TODO: check
+CVE-2016-10561 (Bitty is a development web server tool that functions similar
to ...)
+ TODO: check
+CVE-2016-10560 (galenframework-cli is the node wrapper for the Galen
Framework. ...)
+ TODO: check
CVE-2016-10559 (selenium-download downloads the latest versions of the
selenium ...)
TODO: check
CVE-2016-10558 (aerospike is an Aerospike add-on module for Node.js. aerospike
...)
TODO: check
-CVE-2016-10557
- RESERVED
+CVE-2016-10557 (appium-chromedriver is a Node.js wrapper around Chromedriver.
Versions ...)
+ TODO: check
CVE-2016-10556 (sequelize is an Object-relational mapping, or a middleman to
convert ...)
TODO: check
-CVE-2016-10555
- RESERVED
+CVE-2016-10555 (Since "algorithm" isn't enforced in jwt.decode()in
jwt-simple 0.3.0 ...)
NOT-FOR-US: nodejs-jwt-simple
-CVE-2016-10554
- RESERVED
-CVE-2016-10553
- RESERVED
-CVE-2016-10552
- RESERVED
+CVE-2016-10554 (sequelize is an Object-relational mapping, or a middleman to
convert ...)
+ TODO: check
+CVE-2016-10553 (sequalize is an Object-relational mapping, or a middleman to
convert ...)
+ TODO: check
+CVE-2016-10552 (igniteui 0.0.5 and earlier downloads JavaScript and CSS
resources over ...)
+ TODO: check
CVE-2016-10551 (waterline-sequel is a module that helps generate SQL
statements for ...)
TODO: check
-CVE-2016-10550
- RESERVED
-CVE-2016-10549
- RESERVED
-CVE-2016-10548
- RESERVED
-CVE-2016-10547
- RESERVED
-CVE-2016-10546
- RESERVED
+CVE-2016-10550 (sequalize is an Object-relational mapping, or a middleman to
convert ...)
+ TODO: check
+CVE-2016-10549 (Sails is an MVC style framework for building realtime web ...)
+ TODO: check
+CVE-2016-10548 (Arbitrary code execution is possible in reduce-css-calc node
module ...)
+ TODO: check
+CVE-2016-10547 (Nunjucks is a full featured templating engine for JavaScript.
Versions ...)
+ TODO: check
+CVE-2016-10546 (An arbitrary code injection vector was found in PouchDB 6.0.4
and ...)
+ TODO: check
CVE-2016-10545
RESERVED
-CVE-2016-10544
- RESERVED
-CVE-2016-10543
- RESERVED
-CVE-2016-10542
- RESERVED
-CVE-2016-10541
- RESERVED
-CVE-2016-10540
- RESERVED
-CVE-2016-10539
- RESERVED
-CVE-2016-10538
- RESERVED
-CVE-2016-10537
- RESERVED
-CVE-2016-10536
- RESERVED
-CVE-2016-10535
- RESERVED
-CVE-2016-10534
- RESERVED
-CVE-2016-10533
- RESERVED
-CVE-2016-10532
- RESERVED
-CVE-2016-10531
- RESERVED
-CVE-2016-10530
- RESERVED
-CVE-2016-10529
- RESERVED
-CVE-2016-10528
- RESERVED
-CVE-2016-10527
- RESERVED
-CVE-2016-10526
- RESERVED
+CVE-2016-10544 (uws is a WebSocket server library. By sending a 256mb
websocket ...)
+ TODO: check
+CVE-2016-10543 (call is an HTTP router that is primarily used by the hapi
framework. ...)
+ TODO: check
+CVE-2016-10542 (ws is a "simple to use, blazing fast and thoroughly
tested websocket ...)
+ TODO: check
+CVE-2016-10541 (The npm module "shell-quote" 1.6.0 and earlier
cannot correctly escape ...)
+ TODO: check
+CVE-2016-10540 (Minimatch is a minimal matching utility that works by
converting glob ...)
+ TODO: check
+CVE-2016-10539 (negotiator is an HTTP content negotiator for Node.js and is
used by ...)
+ TODO: check
+CVE-2016-10538 (The package `node-cli` before 1.0.0 insecurely uses the
lock_file and ...)
+ TODO: check
+CVE-2016-10537 (backbone is a module that adds in structure to a JavaScript
heavy ...)
+ TODO: check
+CVE-2016-10536 (engine.io-client is the client for engine.io, the
implementation of a ...)
+ TODO: check
+CVE-2016-10535 (csrf-lite is a cross-site request forgery protection library
for ...)
+ TODO: check
+CVE-2016-10534 (electron-packager is a command line tool that packages
Electron source ...)
+ TODO: check
+CVE-2016-10533 (express-restify-mongoose is a module to easily create a
flexible REST ...)
+ TODO: check
+CVE-2016-10532 (console-io is a module that allows users to implement a web
console in ...)
+ TODO: check
+CVE-2016-10531 (marked is an application that is meant to parse and compile
markdown. ...)
+ TODO: check
+CVE-2016-10530 (The airbrake module 0.3.8 and earlier defaults to sending
environment ...)
+ TODO: check
+CVE-2016-10529 (Droppy versions <3.5.0 does not perform any verification
for ...)
+ TODO: check
+CVE-2016-10528 (restafary is a REpresentful State Transfer API for Creating,
Reading, ...)
+ TODO: check
+CVE-2016-10527 (The riot-compiler version version 2.3.21 has an issue in a
regex ...)
+ TODO: check
+CVE-2016-10526 (A common setup to deploy to gh-pages on every commit via a CI
system ...)
+ TODO: check
CVE-2016-10525 (When attempting to allow authentication mode `try` in hapi,
...)
TODO: check
-CVE-2016-10524
- RESERVED
-CVE-2016-10523
- RESERVED
+CVE-2016-10524 (i18n-node-angular is a module used to interact between i18n
and ...)
+ TODO: check
+CVE-2016-10523 (MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically
crafted ...)
+ TODO: check
CVE-2016-10522
RESERVED
-CVE-2016-10521
- RESERVED
-CVE-2016-10520
- RESERVED
-CVE-2016-10519
- RESERVED
-CVE-2016-10518
- RESERVED
+CVE-2016-10521 (jshamcrest is vulnerable to regular expression denial of
service ...)
+ TODO: check
+CVE-2016-10520 (jadedown is vulnerable to regular expression denial of service
(ReDoS) ...)
+ TODO: check
+CVE-2016-10519 (A security issue was found in bittorrent-dht before 5.1.3 that
allows ...)
+ TODO: check
+CVE-2016-10518 (A vulnerability was found in the ping functionality of the ws
module ...)
+ TODO: check
CVE-2015-9243 (When server level, connection level or route level CORS
configurations ...)
TODO: check
CVE-2015-9242 (Certain input strings when passed to new Date() or Date.parse()
in ...)
@@ -35578,26 +35611,26 @@ CVE-2015-9241 (Certain input passed into the
If-Modified-Since or Last-Modified
TODO: check
CVE-2015-9240 (Due to a bug in the the default sign in functionality in the
keystone ...)
TODO: check
-CVE-2015-9239
- RESERVED
-CVE-2015-9238
- RESERVED
+CVE-2015-9239 (ansi2html is vulnerable to regular expression denial of service
...)
+ TODO: check
+CVE-2015-9238 (secure-compare 3.0.0 and below do not actually compare two
strings ...)
+ TODO: check
CVE-2015-9237
RESERVED
-CVE-2015-9236
- RESERVED
+CVE-2015-9236 (Hapi versions less than 11.0.0 implement CORS incorrectly and
allowed ...)
+ TODO: check
CVE-2015-9235 (In jsonwebtoken node module before 4.2.2 it is possible for an
...)
NOT-FOR-US: jsonwebtoken node module
CVE-2014-10068 (The inert directory handler in inert node module before 1.1.1
always ...)
TODO: check
CVE-2014-10067 (paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which
is set by ...)
TODO: check
-CVE-2014-10066
- RESERVED
-CVE-2014-10065
- RESERVED
-CVE-2014-10064
- RESERVED
+CVE-2014-10066 (Versions less than 0.1.4 of the static file server module
fancy-server ...)
+ TODO: check
+CVE-2014-10065 (Certain input when passed into remarkable before 1.4.1 will
bypass the ...)
+ TODO: check
+CVE-2014-10064 (The qs module before 1.0.0 does not have an option or default
for ...)
+ TODO: check
CVE-2017-15994 (rsync 3.1.3-development before 2017-10-24 mishandles archaic
...)
- rsync <not-affected> (Problematic code to allow checksum choice only
introduced after 3.1.2 release)
NOTE:
https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3
@@ -48728,6 +48761,7 @@ CVE-2017-11615 (A sandbox escape in the Lua interface
in Wube Factorio before 0.
CVE-2017-11614 (MEDHOST Connex contains hard-coded credentials that are used
for ...)
NOT-FOR-US: MEDHOST Connex
CVE-2017-11613 (In LibTIFF 4.0.8, there is a denial of service vulnerability
in the ...)
+ {DLA-1391-1}
- tiff 4.0.9-5 (low; bug #869823)
[stretch] - tiff <postponed> (Minor issue, revisit once fixed upstream)
[jessie] - tiff <postponed> (Minor issue, revisit once fixed upstream)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a6842261786838fa4f691619ef6ea458dbfc6c8
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a6842261786838fa4f691619ef6ea458dbfc6c8
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
