Author: sectracker Date: 2017-08-09 21:10:19 +0000 (Wed, 09 Aug 2017) New Revision: 54490
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-08-09 19:37:56 UTC (rev 54489) +++ data/CVE/list 2017-08-09 21:10:19 UTC (rev 54490) @@ -1,3 +1,163 @@ +CVE-2017-12773 + RESERVED +CVE-2017-12772 + RESERVED +CVE-2017-12771 + RESERVED +CVE-2017-12770 + RESERVED +CVE-2017-12769 + RESERVED +CVE-2017-12768 + RESERVED +CVE-2017-12767 + RESERVED +CVE-2017-12766 + RESERVED +CVE-2017-12765 + RESERVED +CVE-2017-12764 + RESERVED +CVE-2017-12763 + RESERVED +CVE-2017-12762 + RESERVED +CVE-2017-12761 + RESERVED +CVE-2017-12760 + RESERVED +CVE-2017-12759 + RESERVED +CVE-2017-12758 + RESERVED +CVE-2017-12757 + RESERVED +CVE-2017-12756 + RESERVED +CVE-2017-12755 + RESERVED +CVE-2017-12754 (Stack buffer overflow in httpd in Asuswrt-Merlin firmware ...) + TODO: check +CVE-2017-12753 + RESERVED +CVE-2017-12752 + RESERVED +CVE-2017-12751 + RESERVED +CVE-2017-12750 + RESERVED +CVE-2017-12749 + RESERVED +CVE-2017-12748 + RESERVED +CVE-2017-12747 + RESERVED +CVE-2017-12746 + RESERVED +CVE-2017-12745 + RESERVED +CVE-2017-12744 + RESERVED +CVE-2017-12743 + RESERVED +CVE-2017-12742 + RESERVED +CVE-2017-12741 + RESERVED +CVE-2017-12740 + RESERVED +CVE-2017-12739 + RESERVED +CVE-2017-12738 + RESERVED +CVE-2017-12737 + RESERVED +CVE-2017-12736 + RESERVED +CVE-2017-12735 + RESERVED +CVE-2017-12734 + RESERVED +CVE-2017-12733 + RESERVED +CVE-2017-12732 + RESERVED +CVE-2017-12731 + RESERVED +CVE-2017-12730 + RESERVED +CVE-2017-12729 + RESERVED +CVE-2017-12728 + RESERVED +CVE-2017-12727 + RESERVED +CVE-2017-12726 + RESERVED +CVE-2017-12725 + RESERVED +CVE-2017-12724 + RESERVED +CVE-2017-12723 + RESERVED +CVE-2017-12722 + RESERVED +CVE-2017-12721 + RESERVED +CVE-2017-12720 + RESERVED +CVE-2017-12719 + RESERVED +CVE-2017-12718 + RESERVED +CVE-2017-12717 + RESERVED +CVE-2017-12716 + RESERVED +CVE-2017-12715 + RESERVED +CVE-2017-12714 + RESERVED +CVE-2017-12713 + RESERVED +CVE-2017-12712 + RESERVED +CVE-2017-12711 + RESERVED +CVE-2017-12710 + RESERVED +CVE-2017-12709 + RESERVED +CVE-2017-12708 + RESERVED +CVE-2017-12707 + RESERVED +CVE-2017-12706 + RESERVED +CVE-2017-12705 + RESERVED +CVE-2017-12704 + RESERVED +CVE-2017-12703 + RESERVED +CVE-2017-12702 + RESERVED +CVE-2017-12701 + RESERVED +CVE-2017-12700 + RESERVED +CVE-2017-12699 + RESERVED +CVE-2017-12698 + RESERVED +CVE-2017-12697 + RESERVED +CVE-2017-12696 + RESERVED +CVE-2017-12695 + RESERVED +CVE-2017-12694 + RESERVED CVE-2017-1000101 [URL globbing out of bounds read] - curl <unfixed> (bug #871554) NOTE: https://curl.haxx.se/docs/adv_20170809A.html @@ -2875,8 +3035,8 @@ RESERVED CVE-2017-11507 RESERVED -CVE-2017-11506 - RESERVED +CVE-2017-11506 (When linking a Nessus scanner or agent to Tenable.io or other manager, ...) + TODO: check CVE-2017-11565 (debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package for Tor was ...) - tor <unfixed> (bug #869153) [stretch] - tor <no-dsa> (Minor issue) @@ -3245,8 +3405,7 @@ RESERVED CVE-2017-11369 RESERVED -CVE-2017-11368 [Invalid S4U2Self or S4U2Proxy request causes assertion failure] - RESERVED +CVE-2017-11368 (In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker ...) - krb5 1.15.1-2 (bug #869260) [stretch] - krb5 <no-dsa> (Minor issue; can be fixed along with a future DSA) [jessie] - krb5 <no-dsa> (Minor issue; can be fixed along with a future DSA) @@ -8360,7 +8519,7 @@ NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-9458 RESERVED -CVE-2017-9457 (Intense PC (aka MintBox 2) Phoenix SecureCore UEFI firmware does not ...) +CVE-2017-9457 (Intense PC Phoenix SecureCore UEFI firmware does not perform capsule ...) NOT-FOR-US: Intense PC (aka MintBox 2) Phoenix SecureCore UEFI firmware CVE-2017-9456 RESERVED @@ -8646,8 +8805,8 @@ NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d68f0f778e7f4fbd674627274267f269e40f0b04 CVE-2017-9371 RESERVED -CVE-2017-9370 - RESERVED +CVE-2017-9370 (An information disclosure / elevation of privilege vulnerability in ...) + TODO: check CVE-2017-9369 RESERVED CVE-2017-9368 @@ -19784,10 +19943,10 @@ NOT-FOR-US: Intel CVE-2017-5696 RESERVED -CVE-2017-5695 - RESERVED -CVE-2017-5694 - RESERVED +CVE-2017-5695 (Data corruption vulnerability in firmware in Intel Solid-State Drive ...) + TODO: check +CVE-2017-5694 (Data corruption vulnerability in firmware in Intel Solid-State Drive ...) + TODO: check CVE-2017-5693 RESERVED CVE-2017-5692 @@ -31719,8 +31878,8 @@ RESERVED CVE-2017-1449 RESERVED -CVE-2017-1448 - RESERVED +CVE-2017-1448 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x could ...) + TODO: check CVE-2017-1447 RESERVED CVE-2017-1446 @@ -31901,8 +32060,8 @@ RESERVED CVE-2017-1358 RESERVED -CVE-2017-1357 - RESERVED +CVE-2017-1357 (IBM Maximo Asset Management 7.5 and 7.6 could allow an authenticated ...) + TODO: check CVE-2017-1356 RESERVED CVE-2017-1355 @@ -37028,8 +37187,8 @@ NOT-FOR-US: IBM CVE-2016-8950 (IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site ...) NOT-FOR-US: IBM -CVE-2016-8949 - RESERVED +CVE-2016-8949 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x could ...) + TODO: check CVE-2016-8948 (IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2016-8947 (IBM Emptoris Sourcing 9.5.x through 10.1.x could allow a remote ...) @@ -46499,8 +46658,8 @@ NOT-FOR-US: IBM CVE-2016-6122 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 discloses answers to ...) NOT-FOR-US: IBM -CVE-2016-6121 - RESERVED +CVE-2016-6121 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x is ...) + TODO: check CVE-2016-6120 RESERVED CVE-2016-6119 @@ -47638,8 +47797,8 @@ RESERVED CVE-2016-5717 RESERVED -CVE-2016-5716 - RESERVED +CVE-2016-5716 (The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 ...) + TODO: check CVE-2016-5715 (Open redirect vulnerability in the Console in Puppet Enterprise 2015.x ...) - puppet <not-affected> (Limited to Puppet Enterprise) CVE-2016-5714 @@ -68378,8 +68537,8 @@ RESERVED CVE-2015-7895 (Samsung Gallery on the Samsung Galaxy S6 allows local users to cause a ...) NOT-FOR-US: Samsung -CVE-2015-7894 - RESERVED +CVE-2015-7894 (The DCMProvider service in Samsung LibQjpeg on a Samsung SM-G925V ...) + TODO: check CVE-2015-7893 (SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email content, ...) NOT-FOR-US: Samsung CVE-2015-7892 @@ -68818,8 +68977,8 @@ {DSA-3380-1 DLA-341-1} - php5 5.6.14+dfsg-1 (low) NOTE: https://bugs.php.net/bug.php?id=69720 -CVE-2015-7764 - RESERVED +CVE-2015-7764 (Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting ...) + TODO: check CVE-2015-7763 (rx/rx.c in OpenAFS 1.5.75 through 1.5.78, 1.6.x before 1.6.15, and ...) {DSA-3387-1 DLA-342-1} - openafs 1.6.15-1 @@ -71075,8 +71234,7 @@ - serendipity <removed> CVE-2015-6942 RESERVED -CVE-2015-6941 [win_useradd module and salt-cloud display passwords in debug log] - RESERVED +CVE-2015-6941 (win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before ...) - salt 2015.8.1+ds-1 [jessie] - salt <no-dsa> (Minor issue) NOTE: https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html @@ -71498,8 +71656,7 @@ [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) NOTE: http://www.openwall.com/lists/oss-security/2015/09/04/4 NOTE: Upstream fix: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg01199.html -CVE-2015-6816 [Ganglia-web auth bypass] - RESERVED +CVE-2015-6816 (ganglia-web before 3.7.1 allows remote attackers to bypass ...) - ganglia-web <unfixed> (unimportant; bug #798213) - ganglia 3.6.0-1 (unimportant) [squeeze] - ganglia <not-affected> (affected code not present) @@ -72382,8 +72539,7 @@ NOTE: https://github.com/owncloud/core/commit/9f8c0a3a8d14f1c127b2034faa14d8d309f962e9 CVE-2015-6499 RESERVED -CVE-2015-6498 - RESERVED +CVE-2015-6498 (Alcatel-Lucent Home Device Manager before 4.1.10, 4.2.x before 4.2.2 ...) NOT-FOR-US: Alcatel-Lucent Home Device Manager CVE-2015-6497 RESERVED @@ -74597,8 +74753,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/07/28/2 CVE-2015-5620 RESERVED -CVE-2015-5619 - RESERVED +CVE-2015-5619 (Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack ...) - logstash <itp> (bug #664841) CVE-2015-5618 (Chiyu BF-630 and BF-630W fingerprint access-control devices allow ...) NOT-FOR-US: Chiyu BF-630 and BF-630W fingerprint access-control devices @@ -78785,8 +78940,7 @@ RESERVED CVE-2015-4166 (Cloudera Key Trustee Server before 5.4.3 does not store keys ...) NOT-FOR-US: Cloudera -CVE-2015-4165 [unspecified arbitrary files modification vulnerability] - RESERVED +CVE-2015-4165 (The snapshot API in Elasticsearch before 1.6.0 when another ...) - elasticsearch 1.6.0+dfsg-1 (bug #788471) [jessie] - elasticsearch <end-of-life> (No longer supported, see DSA 3389) NOTE: https://github.com/elastic/elasticsearch/issues/11068 @@ -81366,8 +81520,7 @@ NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7365 CVE-2015-3278 (The cipherstring parsing code in nss_compat_ossl while in ...) NOT-FOR-US: nss_compat_ossl (OpenSSL to NSS Porting Library) -CVE-2015-3277 [incorrect multi-keyword mode cipherstring parsing] - RESERVED +CVE-2015-3277 (The mod_nss module before 1.0.11 in Fedora allows remote attackers to ...) - libapache2-mod-nss <unfixed> (bug #795657) [stretch] - libapache2-mod-nss <no-dsa> (Minor issue) [jessie] - libapache2-mod-nss <not-affected> (Vulnerability introduced in 1.0.11) @@ -82321,8 +82474,7 @@ CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ...) - ceph-deploy <itp> (bug #694013) NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/9 -CVE-2015-3405 [ntp-keygen may generate non-random symmetric keys on big-endian systems] - RESERVED +CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 ...) {DSA-3223-1 DLA-192-1} - ntp 1:4.2.6.p5+dfsg-7 NOTE: https://bugs.ntp.org/show_bug.cgi?id=2797 @@ -83443,8 +83595,7 @@ {DSA-3203-1 DLA-178-1} - tor 0.2.5.11-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15083 -CVE-2015-2687 [information leak when live-migration failed] - RESERVED +CVE-2015-2687 (OpenStack Compute (nova) Icehouse, Juno and Havana when live migration ...) - nova 2014.1-1 [wheezy] - nova <no-dsa> (Minor issue) NOTE: This is no longer a security issue starting with icehouse, so marking 2014.1 as fixed @@ -84502,8 +84653,8 @@ NOT-FOR-US: WordPress plugin wordpress-seo CVE-2015-2292 (Multiple SQL injection vulnerabilities in ...) NOT-FOR-US: WordPress plugin wordpress-seo -CVE-2015-2291 - RESERVED +CVE-2015-2291 ((1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the ...) + TODO: check CVE-2015-2290 RESERVED CVE-2015-2288 @@ -84520,17 +84671,13 @@ RESERVED CVE-2014-9698 RESERVED -CVE-2015-2313 [CPU usage amplification attack #2] - RESERVED +CVE-2015-2313 (Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x before 0.5.1.2, when an ...) - capnproto 0.4.1-3 (bug #780568) -CVE-2015-2312 [CPU usage amplification attack] - RESERVED +CVE-2015-2312 (Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x before 0.5.1.1 allows ...) - capnproto 0.4.1-3 (bug #780567) -CVE-2015-2311 [Integer underflow in pointer validation] - RESERVED +CVE-2015-2311 (Integer underflow in Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x ...) - capnproto 0.4.1-3 (bug #780566) -CVE-2015-2310 [Integer overflow in pointer validation] - RESERVED +CVE-2015-2310 (Integer overflow in layout.c++ in Sandstorm Cap'n Proto before 0.4.1.1 ...) - capnproto 0.4.1-3 (bug #780565) CVE-2015-8856 (Cross-site scripting (XSS) vulnerability in the serve-index package ...) - node-serve-index <unfixed> (unimportant) @@ -84629,8 +84776,7 @@ NOT-FOR-US: Open edX CVE-2015-2285 (The logrotation script (/etc/cron.daily/upstart) in the Ubuntu Upstart ...) - upstart <not-affected> (Vulnerable cron.daily script not present) -CVE-2014-9701 [XSS issue in MantisBT permalink_page.php] - RESERVED +CVE-2014-9701 (Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.19 and ...) - mantis <removed> (bug #780875) [wheezy] - mantis <no-dsa> (Minor issue) [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) @@ -84664,8 +84810,7 @@ NOT-FOR-US: SolarWinds Firewall Security Manager CVE-2010-5322 (Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier ...) NOT-FOR-US: ZeusCart -CVE-2015-2674 [Doesn't Validate TLS] - RESERVED +CVE-2015-2674 (Restkit allows man-in-the-middle attackers to spoof TLS servers by ...) - python-restkit <unfixed> (bug #781813) [stretch] - python-restkit <no-dsa> (Minor issue) [jessie] - python-restkit <no-dsa> (Minor issue) @@ -85968,8 +86113,7 @@ {DSA-3222-1 DLA-193-1} - chrony 1.30-2 (bug #782160) NOTE: Fix: http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=cf19042ecb656b8afec0cc4906e7dd3ea9266ac8 -CVE-2015-1820 [session fixation vulnerability] - RESERVED +CVE-2015-1820 (REST client for Ruby (aka rest-client) before 1.8.0 allows remote ...) - ruby-rest-client 1.6.7-6 (bug #781238) [wheezy] - ruby-rest-client <no-dsa> (The correction introduces a dependency on a package not available in wheezy) - librestclient-ruby <removed> @@ -89866,20 +90010,20 @@ REJECTED CVE-2015-0787 (XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote ...) NOT-FOR-US: NetIQ Designer for Identity Manager -CVE-2015-0786 - RESERVED -CVE-2015-0785 - RESERVED -CVE-2015-0784 - RESERVED -CVE-2015-0783 - RESERVED -CVE-2015-0782 - RESERVED -CVE-2015-0781 - RESERVED -CVE-2015-0780 - RESERVED +CVE-2015-0786 (Stack-based buffer overflow in the logging functionality in the ...) + TODO: check +CVE-2015-0785 (com.novell.zenworks.inventory.rtr.actionclasses.wcreports in Novell ...) + TODO: check +CVE-2015-0784 (Rtrlet.class in Novell ZENworks Configuration Management (ZCM) allows ...) + TODO: check +CVE-2015-0783 (The FileViewer class in Novell ZENworks Configuration Management (ZCM) ...) + TODO: check +CVE-2015-0782 (SQL injection vulnerability in the ScheduleQuery method of the ...) + TODO: check +CVE-2015-0781 (Directory traversal vulnerability in the doPost method of the Rtrlet ...) + TODO: check +CVE-2015-0780 (SQL injection vulnerability in the GetReRequestData method of the ...) + TODO: check CVE-2015-0779 (Directory traversal vulnerability in UploadServlet in Novell ZENworks ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0778 (osc before 0.151.0 allows remote attackers to execute arbitrary ...) @@ -100216,8 +100360,7 @@ CVE-2014-6394 (visionmedia send before 0.8.4 for Node.js uses a partial comparison ...) - node-send 0.9.4-1 NOTE: https://nodesecurity.io/advisories/send-directory-traversal -CVE-2014-6393 [cross-site scripting via content-type header] - RESERVED +CVE-2014-6393 (The Express web framework before 3.11 and 4.x before 4.5 for Node.js ...) - node-express <unfixed> (unimportant) NOTE: libv8 is not covered by security support CVE-2014-6392 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in the ...) @@ -103224,8 +103367,8 @@ [squeeze] - xen <end-of-life> (Unsupported in squeeze-lts) CVE-2014-5145 RESERVED -CVE-2014-5144 - RESERVED +CVE-2014-5144 (Cross-site scripting (XSS) vulnerability in Telescope before 0.9.3 ...) + TODO: check CVE-2014-5143 RESERVED CVE-2014-5142 @@ -146852,16 +146995,16 @@ [squeeze] - ffmpeg 4:0.5.10-1 (bug #688849) CVE-2012-2782 (Unspecified vulnerability in the decode_slice_header function in ...) - libav <not-affected> (Doesn't affect libav) -CVE-2012-2781 - RESERVED -CVE-2012-2780 - RESERVED +CVE-2012-2781 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact ...) + TODO: check +CVE-2012-2780 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact ...) + TODO: check CVE-2012-2779 (Unspecified vulnerability in the decode_frame function in ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <not-affected> (Vulnerable code not present, bug #688849) - libav 6:0.8.4-1 (bug #688847) -CVE-2012-2778 - RESERVED +CVE-2012-2778 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact ...) + TODO: check CVE-2012-2777 (Unspecified vulnerability in the decode_pic function in ...) {DSA-2624-1} [squeeze] - ffmpeg 4:0.5.9-1 (bug #688849) @@ -146880,14 +147023,14 @@ - libav <not-affected> (there is no crash, just a couple uninitialized reads, harmless according to Janne) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=59a4b73531428d2f420b4dad545172c8483ced0f NOTE: patch proposed: http://patches.libav.org/patch/32644/ -CVE-2012-2773 - RESERVED +CVE-2012-2773 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact ...) + TODO: check CVE-2012-2772 (Unspecified vulnerability in the ff_rv34_decode_frame function in ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <not-affected> (Vulnerable code not present, bug #688849) - libav 6:0.8.4-1 (bug #688847) -CVE-2012-2771 - RESERVED +CVE-2012-2771 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact ...) + TODO: check CVE-2012-2770 (The Authen::ExternalAuth extension before 0.11 for Best Practical ...) - rt-authen-externalauth 0.10-2 (bug #683288) CVE-2012-2769 (Multiple cross-site scripting (XSS) vulnerabilities in the topic ...) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits