Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
99399308 by Salvatore Bonaccorso at 2018-09-27T20:12:15Z
Do not specifically list CVE-2018-9251 for DLA-1524-1
The CVE-2018-9251 is caused due to an incomplete fix for CVE-2017-18258,
which was adressed completely in the update. As such libxml2 in jessie
was never affected by CVE-2018-9251 itself.
- - - - -
49fc6de3 by Salvatore Bonaccorso at 2018-09-27T20:17:46Z
Process NFUs
- - - - -
2fbefd07 by Salvatore Bonaccorso at 2018-09-27T20:18:01Z
Add CVE-2018-15836/openswan
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2801,7 +2801,7 @@ CVE-2018-16366 (An issue discovered in idreamsoft iCMS
V7.0.10. ...)
CVE-2018-16365 (An issue discovered in idreamsoft iCMS V7.0.10. ...)
NOT-FOR-US: idreamsoft iCMS
CVE-2018-16364 (A serialization vulnerability in Zoho ManageEngine
Applications ...)
- TODO: check
+ NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2018-16363 (The mndpsingh287 File Manager plugin V2.9 for WordPress has
XSS via ...)
NOT-FOR-US: mndpsingh287 File Manager plugin for WordPress
CVE-2018-16362 (An issue was discovered in the Source Integration plugin
before 1.5.9 ...)
@@ -4148,7 +4148,9 @@ CVE-2018-15838
CVE-2018-15837
RESERVED
CVE-2018-15836 (In Openswan before 2.6.50.1, IKEv2 signature verification is
...)
- TODO: check
+ - openswan <removed>
+ NOTE:
https://github.com/xelerance/Openswan/commit/0b460be9e287fd335c8ce58129c67bf06065ef51
+ NOTE: https://lists.openswan.org/pipermail/users/2018-August/023761.html
CVE-2018-15835
RESERVED
CVE-2018-15834 (In radare2 before 2.9.0, a heap overflow vulnerability exists
in the ...)
@@ -4913,7 +4915,7 @@ CVE-2018-15533 (A reflected cross-site scripting
vulnerability exists in Geutebr
CVE-2018-15532
RESERVED
CVE-2018-15531 (JavaMelody before 1.74.0 has XXE via parseSoapMethodName in
...)
- TODO: check
+ NOT-FOR-US: JavaMelody
CVE-2018-15530
RESERVED
CVE-2018-15529 (A command injection vulnerability in maintenance.cgi in Mutiny
...)
@@ -6418,7 +6420,7 @@ CVE-2018-14825 (On Honeywell Mobile Computers (CT60
running Android OS 7.1, CN80
CVE-2018-14824
RESERVED
CVE-2018-14823 (Fuji Electric V-Server 4.0.3.0 and prior, A stack-based buffer
...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14822
RESERVED
CVE-2018-14821 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior.
This ...)
@@ -6426,27 +6428,27 @@ CVE-2018-14821 (Rockwell Automation RSLinx Classic
Versions 4.00.01 and prior. T
CVE-2018-14820
RESERVED
CVE-2018-14819 (Fuji Electric V-Server 4.0.3.0 and prior, An out-of-bounds
read ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14818
RESERVED
CVE-2018-14817 (Fuji Electric V-Server 4.0.3.0 and prior, An integer underflow
...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14816
RESERVED
CVE-2018-14815 (Fuji Electric V-Server 4.0.3.0 and prior, Several
out-of-bounds write ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14814
RESERVED
CVE-2018-14813 (Fuji Electric V-Server 4.0.3.0 and prior, A heap-based buffer
overflow ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14812
RESERVED
CVE-2018-14811 (Fuji Electric V-Server 4.0.3.0 and prior, Multiple untrusted
pointer ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14810
RESERVED
CVE-2018-14809 (Fuji Electric V-Server 4.0.3.0 and prior, A use after free ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14808
RESERVED
CVE-2018-14807
@@ -7968,7 +7970,7 @@ CVE-2018-14329 (In HTSlib 1.8, a race condition in
cram/cram_io.c might allow lo
CVE-2018-14328 (Brynamics "Online Trade - Online trading and
cryptocurrency investment ...)
NOT-FOR-US: Brynamics "Online Trade - Online trading and cryptocurrency
investment system"
CVE-2018-14327 (The installer for the Alcatel OSPREY3_MINI Modem component on
EE ...)
- TODO: check
+ NOT-FOR-US: Alcatel
CVE-2018-14324 (The demo feature in Oracle GlassFish Open Source Edition 5.0
has TCP ...)
- glassfish <not-affected> (Vulnerable code not included, only builds a
few classes)
CVE-2018-14323
@@ -21025,7 +21027,6 @@ CVE-2018-9252 (JasPer 2.0.14 allows denial of service
via a reachable assertion
NOTE: https://github.com/mdadams/jasper/issues/173
NOTE: Negligable impact
CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if
--with-lzma is ...)
- {DLA-1524-1}
- libxml2 <not-affected> (Fix for CVE-2017-18258 not applied, cf. bug
#895195)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74
=====================================
data/DLA/list
=====================================
@@ -1,5 +1,5 @@
[27 Sep 2018] DLA-1524-1 libxml2 - security update
- {CVE-2017-18258 CVE-2018-9251 CVE-2018-14404 CVE-2018-14567}
+ {CVE-2017-18258 CVE-2018-14404 CVE-2018-14567}
[jessie] - libxml2 2.9.1+dfsg1-5+deb8u7
[27 Sep 2018] DLA-1523-1 asterisk - security update
{CVE-2018-17281}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b9c4ee5e11b8e6894a5ee1d92cbacaa18cd40631...2fbefd07fd8f9af4f18b6ebaf6b1b18073d98ef0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b9c4ee5e11b8e6894a5ee1d92cbacaa18cd40631...2fbefd07fd8f9af4f18b6ebaf6b1b18073d98ef0
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
