Author: sectracker Date: 2017-09-20 21:10:14 +0000 (Wed, 20 Sep 2017) New Revision: 55945
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-09-20 21:02:39 UTC (rev 55944) +++ data/CVE/list 2017-09-20 21:10:14 UTC (rev 55945) @@ -1,3 +1,29 @@ +CVE-2017-14616 (An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. If ...) + TODO: check +CVE-2017-14615 (An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. ...) + TODO: check +CVE-2017-14614 + RESERVED +CVE-2017-14613 + RESERVED +CVE-2017-14612 + RESERVED +CVE-2017-14611 + RESERVED +CVE-2017-14610 (bareos-dir, bareos-fd, and bareos-sd in bareos-core in Bareos 16.2.6 ...) + TODO: check +CVE-2017-14609 (The server daemons in Kannel 1.5.0 and earlier create a PID file after ...) + TODO: check +CVE-2017-14608 (In LibRaw through 0.18.4, an out of bounds read flaw related to ...) + TODO: check +CVE-2017-14607 (In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related to ...) + TODO: check +CVE-2017-14606 + RESERVED +CVE-2017-14605 + RESERVED +CVE-2015-9231 (iTerm2 3.x before 3.1.1 allows remote attackers to discover passwords ...) + TODO: check CVE-2017-14604 (GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by ...) - nautilus 3.25.90-1 (bug #860268) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777991 @@ -18,10 +44,10 @@ RESERVED CVE-2017-14597 (AdminPanel in AfterLogic WebMail 7.7 and Aurora 7.7.5 has XSS via the ...) NOT-FOR-US: AfterLogic WebMail -CVE-2017-14596 - RESERVED -CVE-2017-14595 - RESERVED +CVE-2017-14596 (In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication ...) + TODO: check +CVE-2017-14595 (In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the ...) + TODO: check CVE-2017-14594 RESERVED CVE-2017-14593 @@ -291,7 +317,7 @@ CVE-2017-14490 RESERVED CVE-2017-14489 (The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the ...) - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: https://patchwork.kernel.org/patch/9923803/ CVE-2017-14488 @@ -661,11 +687,11 @@ NOTE: https://github.com/LibRaw/LibRaw/issues/100 NOTE: https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2 CVE-2017-14340 (The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux ...) - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: Fixed by: https://git.kernel.org/linus/b31ff3cdf540110da4572e3e29bd172087af65cc -CVE-2017-14339 - RESERVED +CVE-2017-14339 (The DNS packet parser in YADIFA before 2.2.6 does not check for the ...) + TODO: check CVE-2017-14338 RESERVED CVE-2017-14337 (When MISP before 2.4.80 is configured with X.509 certificate ...) @@ -1163,7 +1189,7 @@ CVE-2017-14157 RESERVED CVE-2017-14156 (The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the ...) - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 (low) CVE-2017-14155 RESERVED @@ -1196,7 +1222,7 @@ NOTE: https://marc.info/?l=kvm&m=150549145711115&w=2 NOTE: https://marc.info/?l=kvm&m=150549146311117&w=2 CVE-2017-1000251 (The native Bluetooth stack in the Linux Kernel (BlueZ), starting at ...) - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 (bug #875881) NOTE: Fixed by: https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 NOTE: https://www.armis.com/blueborne/ @@ -1234,7 +1260,7 @@ CVE-2017-14141 (The wiki_decode Developer System Helper function in the admin panel in ...) NOT-FOR-US: Kaltura CVE-2017-14140 (The move_pages system call in mm/migrate.c in the Linux kernel before ...) - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.12-1 NOTE: Fixed by: https://git.kernel.org/linus/197e7e521384a23b9e585178f3f11c9fa08274b9 CVE-2017-14139 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMSLImage in ...) @@ -1358,7 +1384,7 @@ CVE-2017-14104 RESERVED CVE-2017-14106 (The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel ...) - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.6-1 NOTE: Fixed by: https://git.kernel.org/linus/499350a5a6e7512d9ed369ed63a4244b6536f4f8 (v4.12-rc3) CVE-2017-14103 (The ReadJNGImage and ReadOneJNGImage functions in coders/png.c in ...) @@ -5190,11 +5216,12 @@ CVE-2017-12778 RESERVED CVE-2017-1000112 [Exploitable memory corruption due to UFO to non-UFO path switch] + {DSA-3981-1} - linux 4.12.6-1 (low) NOTE: Introduced by: https://git.kernel.org/linus/e89e9cf539a28df7d0eb1d0a545368e9920b34ac (2.6.15-rc1) NOTE: Fixed by: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa CVE-2017-1000111 [heap out-of-bounds in AF_PACKET sockets] - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.6-1 NOTE: Introduced by: https://git.kernel.org/linus/8913336a7e8d56e984109a3137d6c0e3362596a4 (2.6.27-rc1) NOTE: Fixed by: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7 @@ -5641,8 +5668,7 @@ RESERVED CVE-2017-12612 (In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe ...) NOT-FOR-US: Apache Spark -CVE-2017-12611 - RESERVED +CVE-2017-12611 (In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an ...) - libstruts1.2-java <removed> [wheezy] - libstruts1.2-java <ignored> (Minor issue) NOTE: Only a problem if the application programmer has made a security mistake. @@ -6739,13 +6765,13 @@ - tripleo-heat-templates <undetermined> CVE-2017-12154 [kvm: nVMX: L2 guest could access hardware(L0) CR8 register] RESERVED - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: Fixed by: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f (v4.14-rc1) NOTE: https://www.spinics.net/lists/kvm/msg155414.html CVE-2017-12153 [null pointer dereference in nl80211_set_rekey_data()] RESERVED - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: https://marc.info/?t=150525503100001&r=1&w=2 NOTE: https://marc.info/?l=linux-wireless&m=150525493517953&w=2 @@ -6814,7 +6840,7 @@ - xen <unfixed> NOTE: https://xenbits.xen.org/xsa/advisory-226.html CVE-2017-12134 (The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in ...) - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.12-1 NOTE: https://xenbits.xen.org/xsa/advisory-229.html NOTE: https://git.kernel.org/linus/462cdace790ac2ed6aad1b19c9c0af0143b6aab0 (v4.13-rc6) @@ -8242,7 +8268,7 @@ CVE-2017-11601 RESERVED CVE-2017-11600 (net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when ...) - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.12.6-1 NOTE: http://seclists.org/bugtraq/2017/Jul/30 CVE-2017-11599 @@ -11740,8 +11766,7 @@ - libstruts1.2-java <removed> [wheezy] - libstruts1.2-java <not-affected> (vulnerable code not present) NOTE: https://struts.apache.org/docs/s2-052.html -CVE-2017-9804 - RESERVED +CVE-2017-9804 (In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an ...) - libstruts1.2-java <removed> [wheezy] - libstruts1.2-java <ignored> (Minor issue) NOTE: DOS class vulnerability and classified as low by upstream. @@ -11760,6 +11785,7 @@ CVE-2017-9799 (It was found that under some situations and configurations of Apache ...) NOT-FOR-US: Apache Storm CVE-2017-9798 (Apache httpd allows remote attackers to read secret data from process ...) + {DSA-3980-1} - apache2 <unfixed> (bug #876109) NOTE: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html NOTE: https://github.com/hannob/optionsbleed @@ -11773,8 +11799,7 @@ RESERVED CVE-2017-9794 RESERVED -CVE-2017-9793 - RESERVED +CVE-2017-9793 (The REST Plugin in Apache Struts 2.3.7 through 2.3.33 and 2.5 through ...) - libstruts1.2-java <removed> [wheezy] - libstruts1.2-java <not-affected> (vulnerable code not present) NOTE: https://struts.apache.org/docs/s2-051.html @@ -13369,10 +13394,12 @@ - exim4 4.89-3 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000370 (The offset2lib patch as used in the Linux Kernel contains a ...) + {DSA-3981-1} - linux 4.11.11-1 [wheezy] - linux <not-affected> (Memory layout is different) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000371 (The offset2lib patch as used by the Linux Kernel contains a ...) + {DSA-3981-1} - linux 4.11.11-1 [wheezy] - linux <not-affected> (Memory layout is different) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt @@ -13727,16 +13754,16 @@ RESERVED CVE-2017-9650 (An Unrestricted Upload of File with Dangerous Type issue was discovered ...) NOT-FOR-US: Automated Logic Corporation (ALC) -CVE-2017-9649 - RESERVED +CVE-2017-9649 (A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion ...) + TODO: check CVE-2017-9648 (An Uncontrolled Search Path Element issue was discovered in Solar ...) NOT-FOR-US: Solar Controls WATTConfig M Software CVE-2017-9647 (A Stack-Based Buffer Overflow issue was discovered in the Continental ...) NOT-FOR-US: Continental AG Infineon S-Gold CVE-2017-9646 (An Uncontrolled Search Path Element issue was discovered in Solar ...) NOT-FOR-US: Solar Controls Heating Control Downloader (HCDownloader) -CVE-2017-9645 - RESERVED +CVE-2017-9645 (An Inadequate Encryption Strength issue was discovered in Mirion ...) + TODO: check CVE-2017-9644 (An Unquoted Search Path or Element issue was discovered in Automated ...) NOT-FOR-US: Automated Logic Corporation (ALC) CVE-2017-9643 @@ -13847,8 +13874,8 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/08/14/1 NOTE: https://github.com/FFmpeg/FFmpeg/commit/611b35627488a8d0763e75c25ee0875c5b7987dd NOTE: https://github.com/FFmpeg/FFmpeg/commit/0a709e2a10b8288a0cc383547924ecfe285cef89 -CVE-2017-9607 - RESERVED +CVE-2017-9607 (The BL1 FWU SMC handling code in ARM Trusted Firmware before 1.4 might ...) + TODO: check CVE-2017-9606 (Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local ...) NOT-FOR-US: Infotecs ViPNet Client and Coordinator CVE-2017-9604 (KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in ...) @@ -14859,7 +14886,7 @@ CVE-2014-9971 (In all Qualcomm products with Android releases from CAF using the ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-1000380 (sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a ...) - {DLA-1099-1} + {DSA-3981-1 DLA-1099-1} - linux 4.11.6-1 NOTE: Fixed by: https://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378 (v4.12-rc5) NOTE: Fixed by: https://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728 (v4.12-rc5) @@ -16563,12 +16590,12 @@ NOT-FOR-US: Quick Heal Internet Security CVE-2017-8773 (Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security ...) NOT-FOR-US: Quick Heal Internet Security -CVE-2017-8772 - RESERVED -CVE-2017-8771 - RESERVED -CVE-2017-8770 - RESERVED +CVE-2017-8772 (On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet ...) + TODO: check +CVE-2017-8771 (On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet ...) + TODO: check +CVE-2017-8770 (There is LFD (local file disclosure) on BE126 WIFI repeater 1.0 ...) + TODO: check CVE-2017-8769 (** DISPUTED ** Facebook WhatsApp Messenger 2.17.146 for Android uses ...) NOT-FOR-US: WhatsApp Messenger CVE-2017-8768 (Atlassian SourceTree v2.5c and prior are affected by a command ...) @@ -18708,8 +18735,8 @@ NOT-FOR-US: OSIsoft CVE-2017-7925 (A Password in Configuration File issue was discovered in Dahua ...) NOT-FOR-US: Dahua -CVE-2017-7924 - RESERVED +CVE-2017-7924 (An Improper Input Validation issue was discovered in Rockwell ...) + TODO: check CVE-2017-7923 (A Password in Configuration File issue was discovered in Hikvision ...) NOT-FOR-US: Hikvision CVE-2017-7922 (An Improper Privilege Management issue was discovered in Cambium ...) @@ -20344,6 +20371,7 @@ NOTE: http://tracker.ceph.com/issues/20240 CVE-2017-7518 [debug exception via syscall emulation] RESERVED + {DSA-3981-1} - linux 4.11.11-1 [wheezy] - linux <not-affected> (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/06/23/5 @@ -43715,8 +43743,8 @@ NOTE: HTTP/2 support introduced in 2.4.17 CVE-2016-8739 (The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to ...) NOT-FOR-US: Apache CXF -CVE-2016-8738 - RESERVED +CVE-2016-8738 (In Apache Struts 2.5 through 2.5.5, if an application allows entering ...) + TODO: check CVE-2016-8737 (In Apache Brooklyn before 0.10.0, the REST server is vulnerable to ...) NOT-FOR-US: Apache Brooklyn CVE-2016-8736 @@ -50031,8 +50059,8 @@ NOTE: Fixed by: http://svn.apache.org/r1758494 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1758495 (7.0.x) NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1758496 (6.0.x) -CVE-2016-6795 - RESERVED +CVE-2016-6795 (In the Convention plugin in Apache Struts 2.3.20 through 2.3.30, it is ...) + TODO: check CVE-2016-6794 (When a SecurityManager is configured, a web application's ability to ...) {DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1} - tomcat8 8.0.37-1 (low) @@ -72824,8 +72852,8 @@ CVE-2015-8466 (Swift3 before 1.9 allows remote attackers to conduct replay attacks ...) {DSA-3583-1} - swift-plugin-s3 1.9-1 (bug #822688) -CVE-2014-9758 - RESERVED +CVE-2014-9758 (Cross-site scripting (XSS) vulnerability in Magento E-Commerce ...) + TODO: check CVE-2015-XXXX [uses non-random tempdir /tmp/tmprepo.0/.git/] - git-repair 1.20151215-1 (unimportant; bug #807341) NOTE: Non-exploitable on release archs due to kernel hardening @@ -73597,8 +73625,8 @@ NOT-FOR-US: Huawei CVE-2015-8225 (The Joint Photographic Experts Group Processing Unit (JPU) driver in ...) NOT-FOR-US: Huawei -CVE-2015-8224 - RESERVED +CVE-2015-8224 (Huawei P8 before GRA-CL00C92B210, before GRA-L09C432B200, before ...) + TODO: check CVE-2015-8223 (Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B85, and ...) NOT-FOR-US: Huawei CVE-2015-8222 (The lxd-unix.socket systemd unit file in the Ubuntu lxd package before ...) @@ -76290,8 +76318,8 @@ RESERVED CVE-2015-7348 (Cross-site scripting (XSS) vulnerability in zTree 3.5.19.1 and ...) NOT-FOR-US: zTree -CVE-2015-7347 - RESERVED +CVE-2015-7347 (Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages ...) + TODO: check CVE-2015-7346 (SQL injection vulnerability in ZCMS 1.1. ...) NOT-FOR-US: ZCMS CVE-2015-7345 @@ -78520,8 +78548,7 @@ - drupal7 7.39-1 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 -CVE-2015-6673 [use-after-free vulnerability in Decoder.cpp] - RESERVED +CVE-2015-6673 (Use-after-free vulnerability in Decoder.cpp in libpgf before 6.15.32. ...) - libpgf 6.14.12-3.2 (bug #798032) [jessie] - libpgf <no-dsa> (Minor issue, can be fixed via a point release) NOTE: http://www.openwall.com/lists/oss-security/2015/08/19/14 @@ -80841,8 +80868,8 @@ NOT-FOR-US: SolarWinds CVE-2015-5609 (Absolute path traversal vulnerability in the Image Export plugin 1.1 ...) NOT-FOR-US: Image Export plugin for WordPress -CVE-2015-5608 - RESERVED +CVE-2015-5608 (Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1. ...) + TODO: check CVE-2015-5606 RESERVED CVE-2015-5605 (The regular-expression implementation in Google V8, as used in Google ...) @@ -81229,8 +81256,7 @@ RESERVED CVE-2015-5462 RESERVED -CVE-2015-5607 [IPython CSRF validation] - RESERVED +CVE-2015-5607 (Cross-site request forgery in the REST API in IPython 2 and 3. ...) - ipython 2.4.1-1 (bug #793123) [jessie] - ipython <no-dsa> (Minor issue) [wheezy] - ipython <no-dsa> (Minor issue) @@ -81480,8 +81506,7 @@ [squeeze] - hostapd <not-affected> (v0.7.0-v2.4 with CONFIG_WPS_NFC=y) NOTE: http://www.openwall.com/lists/oss-security/2015/07/08/3 NOTE: http://w1.fi/security/2015-5/ -CVE-2015-5395 [CSRF] - RESERVED +CVE-2015-5395 (Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. ...) - sogo 3.2.4-0.2 (bug #796197) [wheezy] - sogo <end-of-life> (not supported in Wheezy LTS) NOTE: https://lists.debian.org/debian-lts/2016/05/msg00197.html @@ -82011,8 +82036,7 @@ NOT-FOR-US: OpenShift CVE-2015-5249 REJECTED -CVE-2015-5248 - RESERVED +CVE-2015-5248 (Reflected file download vulnerability in Red Hat Feedhenry Enterprise ...) NOT-FOR-US: Red Hat Mobile CVE-2015-5247 (The virStorageVolCreateXML API in libvirt 1.2.14 through 1.2.19 allows ...) - libvirt 1.2.20-1 (bug #799132) @@ -82274,8 +82298,7 @@ [squeeze] - eglibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18784 NOTE: Originally proposed for jessie 8.8, but breaks the NSS ABI so was retracted -CVE-2015-5179 [non-printable characters aren't check in every case of user data] - RESERVED +CVE-2015-5179 (FreeIPA might display user data improperly via vectors involving ...) - freeipa <unfixed> (bug #795399) NOTE: https://fedorahosted.org/freeipa/ticket/5153 CVE-2015-5178 (The Management Console in Red Hat Enterprise Application Platform ...) @@ -83659,8 +83682,7 @@ NOTE: https://mantisbt.org/bugs/view.php?id=19873 CVE-2015-5057 (Cross-site scripting (XSS) vulnerability exists in the Wordpress admin ...) NOT-FOR-US: WordPress plugin broken-link-checker -CVE-2015-4707 [IPython XSS in JSON error responses -- /api/notebooks path] - RESERVED +CVE-2015-4707 (Cross-site scripting (XSS) vulnerability in IPython before 3.2. ...) - ipython 2.4.1-1 (bug #789824) [jessie] - ipython <no-dsa> (Minor issue) [wheezy] - ipython <not-affected> (Problematic code introduced in rel-2.0.0) @@ -85282,14 +85304,14 @@ NOT-FOR-US: Fortinet CVE-2015-4076 RESERVED -CVE-2015-4075 - RESERVED -CVE-2015-4074 - RESERVED -CVE-2015-4073 - RESERVED -CVE-2015-4072 - RESERVED +CVE-2015-4075 (The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote ...) + TODO: check +CVE-2015-4074 (Directory traversal vulnerability in the Helpdesk Pro plugin before ...) + TODO: check +CVE-2015-4073 (Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin ...) + TODO: check +CVE-2015-4072 (Multiple cross-site scripting (XSS) vulnerabilities in the Helpdesk ...) + TODO: check CVE-2015-4071 (The Helpdesk Pro Plugin before 1.4.0 for Joomla! allows remote ...) NOT-FOR-US: Helpdesk Pro Plugin for Joomla! CVE-2015-4070 (Open redirect vulnerability in the proxyimages function in ...) @@ -85847,8 +85869,8 @@ RESERVED CVE-2015-3891 RESERVED -CVE-2015-3890 - RESERVED +CVE-2015-3890 (Use-after-free vulnerability in Open Litespeed before 1.3.10. ...) + TODO: check CVE-2015-3889 RESERVED CVE-2015-3888 @@ -88926,8 +88948,7 @@ RESERVED CVE-2015-2832 RESERVED -CVE-2015-2927 [DoS] - RESERVED +CVE-2015-2927 (node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause ...) - node <removed> (bug #777013) [jessie] - node <no-dsa> (Minor issue) [squeeze] - node <no-dsa> (Minor issue) @@ -88998,8 +89019,7 @@ NOT-FOR-US: CA Spectrum CVE-2015-2827 (Cross-site scripting (XSS) vulnerability in CA Spectrum 9.2.x and ...) NOT-FOR-US: CA Spectrum -CVE-2015-2826 - RESERVED +CVE-2015-2826 (WordPress Simple Ads Manager plugin 2.5.94 and 2.5.96 allows remote ...) NOT-FOR-US: WordPress plugin simple-ads-manager CVE-2015-2825 (Unrestricted file upload vulnerability in sam-ajax-admin.php in the ...) NOT-FOR-US: WordPress plugin simple-ads-manager @@ -91975,11 +91995,9 @@ - pacemaker <not-affected> (Vulnerable code not present) NOTE: Introduced by: https://github.com/ClusterLabs/pacemaker/commit/f242c1ef (Pacemaker-1.1.12-rc1) NOTE: Fixed by: https://github.com/ClusterLabs/pacemaker/commit/84ac07c (Pacemaker-1.1.13-rc2) -CVE-2015-1866 - RESERVED +CVE-2015-1866 (Cross-site scripting (XSS) vulnerability in Ember.js 1.10.x before ...) NOT-FOR-US: ember.js -CVE-2015-1865 ["time of check to time of use" race condition fts.c] - RESERVED +CVE-2015-1865 (fts.c in coreutils 8.4 allows local users to delete arbitrary files. ...) - coreutils 8.13-1 (low) [squeeze] - coreutils <no-dsa> (Minor issue) NOTE: relevant code changed between 8.5 and 8.13, see https://bugzilla.redhat.com/show_bug.cgi?id=1211300 for details @@ -93818,8 +93836,8 @@ CVE-2015-1330 (unattended-upgrades before 0.86.1 does not properly authenticate ...) {DSA-3297-1 DLA-267-1} - unattended-upgrades 0.86.1 -CVE-2015-1329 - RESERVED +CVE-2015-1329 (Use-after-free vulnerability in oxide::qt::URLRequestDelegatedJob in ...) + TODO: check CVE-2015-1328 (The overlayfs implementation in the linux (aka Linux kernel) package ...) - linux <not-affected> (Ubuntu-specific flaw, overlayfs mounts restricted to privileged users in Debian) - linux-2.6 <not-affected> (Ubuntu-specific flaw, overlayfs mounts restricted to privileged users in Debian) @@ -99526,8 +99544,8 @@ REJECTED CVE-2015-0163 RESERVED -CVE-2015-0162 - RESERVED +CVE-2015-0162 (IBM Security SiteProtector System 3.0, 3.1, and 3.1.1 allows local ...) + TODO: check CVE-2015-0161 (SQL injection vulnerability in IBM Security SiteProtector System 3.0 ...) NOT-FOR-US: IBM CVE-2015-0160 (IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before ...) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits