Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2401bbab by Moritz Muehlenhoff at 2019-07-04T15:23:40Z
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -42436,7 +42436,7 @@ CVE-2018-16838 (A flaw was found in sssd Group Policy
Objects implementation. Wh
NOTE: GPO based access control introduced in
https://github.com/SSSD/sssd/commit/60cab26b12
NOTE: seems to presuppose configuration mistake: if sssd is not given
enough permissions
NOTE: to read GPO, access is systematically granted instead of denied
- TODO: check, Bugzilla entry does not provide details
+ NOTE:
https://pagure.io/SSSD/sssd/c/ad058011b6b75b15c674be46a3ae9b3cc5228175
CVE-2018-16837 (Ansible "User" module leaks any data which is passed on as a
parameter ...)
{DSA-4396-1 DLA-1576-1}
- ansible 2.7.1+dfsg-1 (bug #912297)
@@ -44000,9 +44000,9 @@ CVE-2018-16251 (A "search for user discovery" injection
issue exists in Creatiwi
CVE-2018-16250 (The "utilisateur" menu in Creatiwity wityCMS 0.6.2 modifies
the presen ...)
NOT-FOR-US: Creatiwity wityCMS
CVE-2018-16249 (In Symphony before 3.3.0, there is XSS in the Title under
Post. The ID ...)
- TODO: check
+ NOT-FOR-US: b3log
CVE-2018-16248 (b3log Solo 2.9.3 has XSS in the Input page under the "Publish
Articles ...)
- TODO: check
+ NOT-FOR-US: b3log
CVE-2018-16247 (YzmCMS 5.1 has XSS via the
admin/system_manage/user_config_add.html ti ...)
NOT-FOR-US: YzmCMS
CVE-2018-16246
@@ -66964,7 +66964,9 @@ CVE-2018-7579
(\application\admin\controller\update_urls.class.php in YzmCMS 3.6
CVE-2018-7578
RESERVED
CVE-2018-7577 (Memcpy parameter overlap in Google Snappy library 1.1.4, as
used in Go ...)
- TODO: check
+ - snappy <undetermined>
+ NOTE:
https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md
+ NOTE: There are no useful details, could just as well be a misuse of
snappy by Tensorflow
CVE-2018-7576 (Google TensorFlow 1.6.x and earlier is affected by: Null
Pointer Deref ...)
- tensorflow <itp> (bug #804612)
CVE-2018-7575 (Google TensorFlow 1.7.x and earlier is affected by a Buffer
Overflow v ...)
@@ -78301,7 +78303,7 @@ CVE-2017-1000501 (Awstats version 7.6 and earlier is
vulnerable to a path traver
NOTE:
https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899
NOTE:
https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651
CVE-2017-17972 (packages/subjects/pub/subjects.php in Archon 3.21 rev-1 has
XSS in the ...)
- TODO: check
+ NOT-FOR-US: Archon
CVE-2017-17971 (The test_sql_and_script_inject function in htdocs/main.inc.php
in Doli ...)
- dolibarr <removed> (bug #885828)
NOTE: https://github.com/Dolibarr/dolibarr/issues/8000
@@ -98126,9 +98128,9 @@ CVE-2017-14397 (AnyDesk before 3.6.1 on Windows has a
DLL injection vulnerabilit
CVE-2017-14396 (In osTicket before 1.10.1, SQL injection is possible by
constructing a ...)
NOT-FOR-US: osTicket
CVE-2017-14395 (Auth 2.0 Authorization Server of ForgeRock Access Management
(OpenAM) ...)
- TODO: check
+ NOT-FOR-US: OpenAM
CVE-2017-14394 (OAuth 2.0 Authorization Server of ForgeRock Access Management
(OpenAM) ...)
- TODO: check
+ NOT-FOR-US: OpenAM
CVE-2017-14393
REJECTED
CVE-2017-14392
@@ -100120,7 +100122,7 @@ CVE-2017-13720 (In the PatternMatch function in
fontfile/fontdir.c in libXfont t
NOTE: Fixed by:
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608
NOTE: libxfont1 is only used by xfonts-utils, no security impact
CVE-2017-13719 (The Amcrest IPM-721S
Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-13718 (The HTTP API supported by Starry Station (aka Starry Router)
allows br ...)
NOT-FOR-US: Starry Station
CVE-2017-13717 (Starry Station (aka Starry Router) sets the
Access-Control-Allow-Origi ...)
@@ -103108,7 +103110,7 @@ CVE-2017-12780 (The ReadData function in ebmlstring.c
in libebml2 through 2012-0
CVE-2017-12779 (The Node_GetData function in corec/corec/node/node.c in
mkvalidator 0. ...)
NOT-FOR-US: libembl2 (different codebase than src:libebml)
CVE-2017-12778 (** DISPUTED ** The UI Lock feature in qBittorrent version
3.3.15 is vu ...)
- TODO: check
+ NOT-FOR-US: qBittorrent non issue
CVE-2017-1000112 (Linux kernel: Exploitable memory corruption due to UFO to
non-UFO path ...)
{DSA-3981-1}
- linux 4.12.6-1 (low)
@@ -106549,9 +106551,9 @@ CVE-2017-11581 (dayrui FineCms 5.0.9 has Cross Site
Scripting (XSS) in admin/Log
CVE-2017-11580 (Blipcare Wifi blood pressure monitor BP700 10.1 devices allow
memory c ...)
NOT-FOR-US: Blipcare Wifi blood pressure monitor BP700 10.1 devices
CVE-2017-11579 (In the most recent firmware for Blipcare, the device provides
an open ...)
- TODO: check
+ NOT-FOR-US: Blipcare
CVE-2017-11578 (It was discovered as a part of the research on IoT devices in
the most ...)
- TODO: check
+ NOT-FOR-US: Blipcare
CVE-2017-11577 (FontForge 20161012 is vulnerable to a buffer over-read in
getsid (pars ...)
{DSA-3958-1 DLA-1065-1}
- fontforge 1:20170731~dfsg-1 (bug #869614)
@@ -113203,11 +113205,11 @@ CVE-2017-9329
CVE-2017-9328 (Shell metacharacter injection vulnerability in
/usr/www/include/ajax/G ...)
NOT-FOR-US: TerraMaster TOS
CVE-2017-9327 (Secret data of processes managed by CM is not secured by file
permissi ...)
- TODO: check
+ NOT-FOR-US: Cloudera
CVE-2017-9326 (The keystore password for the Spark History Server may be
exposed in u ...)
- TODO: check
+ NOT-FOR-US: Cloudera
CVE-2017-9325 (The provided secure solrconfig.xml sample configuration does
not enfor ...)
- TODO: check
+ NOT-FOR-US: Cloudera
CVE-2017-9334 (An incorrect "pair?" check in the Scheme "length" procedure
results in ...)
- chicken 4.12.0-0.2 (low; bug #863884)
[stretch] - chicken <no-dsa> (Minor issue)
@@ -116600,15 +116602,15 @@ CVE-2017-8232
CVE-2017-8231
RESERVED
CVE-2017-8230 (On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the
users on th ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8229 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an
unauthenti ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8228 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle
reboots w ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8227 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a
timeout poli ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8226 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default
creden ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2017-8283 (dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a
non-GNU pat ...)
- dpkg 1.18.24 (unimportant)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/20/2
@@ -121271,7 +121273,7 @@ CVE-2017-6902
CVE-2017-6901
RESERVED
CVE-2017-6900 (An issue was discovered in Riello NetMan 204 14-2 and 15-2. The
issue ...)
- TODO: check
+ NOT-FOR-US: Riello NetMan
CVE-2017-6899 (The msm_bus_dbg_update_request_write function in
drivers/platform/msm/ ...)
NOT-FOR-US: android_kernel_huawei_msm8916 in LineageOS (and other
kernels for MSM devices)
CVE-2017-6898
@@ -123382,7 +123384,7 @@ CVE-2017-6218
CVE-2017-6217
RESERVED
CVE-2017-6216 (novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable
to a ref ...)
- TODO: check
+ NOT-FOR-US: novaksolutions/infusionsoft-php-sdk
CVE-2017-6215 (paypal/permissions-sdk-php is vulnerable to reflected XSS in
the sampl ...)
NOT-FOR-US: PayPal permissions-sdk-php
CVE-2017-6213 (paypal/invoice-sdk-php is vulnerable to reflected XSS in
samples/permi ...)
@@ -184800,7 +184802,7 @@ CVE-2015-3908 (Ansible before 1.9.2 does not verify
that the server hostname mat
[jessie] - ansible <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2015/07/14/4
CVE-2015-3907 (CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1
allows XXE ...)
- TODO: check
+ NOT-FOR-US: CodeIgniter Rest Server
CVE-2015-3906 (The logcat_dump_text function in wiretap/logcat.c in the
Android Logca ...)
{DSA-3277-1}
- wireshark 1.12.5+g5819e5b-1
@@ -192754,7 +192756,7 @@ CVE-2015-1344 (The do_write_pids function in lxcfs.c
in LXCFS before 0.12 does n
- lxcfs <not-affected> (Fixed before initial upload to the archive)
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1512854
CVE-2015-1343 (All versions of unity-scope-gdrive logs search terms to syslog.
...)
- TODO: check
+ NOT-FOR-US: unity-scope-gdrive
CVE-2015-1342 (LXCFS before 0.12 does not properly enforce directory escapes,
which m ...)
- lxcfs <not-affected> (Fixed before initial upload to the archive)
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1508481
@@ -192818,7 +192820,7 @@ CVE-2015-1328 (The overlayfs implementation in the
linux (aka Linux kernel) pack
NOTE:
https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html
NOTE:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549
CVE-2015-1327 (Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS
API only ...)
- TODO: check
+ NOT-FOR-US: Content Hub
CVE-2015-1326 (python-dbusmock before version 0.15.1 AddTemplate() D-Bus
method call ...)
- python-dbusmock 0.15.1-1 (bug #786858)
[jessie] - python-dbusmock 0.11.4-1+deb8u1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2401bbab68c229ff92867646f02bec9d9536c247
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2401bbab68c229ff92867646f02bec9d9536c247
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
