Author: sectracker
Date: 2017-08-10 21:10:12 +0000 (Thu, 10 Aug 2017)
New Revision: 54583
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-08-10 21:07:04 UTC (rev 54582)
+++ data/CVE/list 2017-08-10 21:10:12 UTC (rev 54583)
@@ -1,3 +1,47 @@
+CVE-2017-12799 (The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29
allows ...)
+ TODO: check
+CVE-2017-12798 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via
the q ...)
+ TODO: check
+CVE-2017-12797
+ RESERVED
+CVE-2017-12796
+ RESERVED
+CVE-2017-12795
+ RESERVED
+CVE-2017-12794
+ RESERVED
+CVE-2017-12793
+ RESERVED
+CVE-2017-12792
+ RESERVED
+CVE-2017-12791
+ RESERVED
+CVE-2017-12790
+ RESERVED
+CVE-2017-12789
+ RESERVED
+CVE-2017-12788
+ RESERVED
+CVE-2017-12787
+ RESERVED
+CVE-2017-12786
+ RESERVED
+CVE-2017-12785
+ RESERVED
+CVE-2017-12784
+ RESERVED
+CVE-2017-12783
+ RESERVED
+CVE-2017-12782
+ RESERVED
+CVE-2017-12781
+ RESERVED
+CVE-2017-12780
+ RESERVED
+CVE-2017-12779
+ RESERVED
+CVE-2017-12778
+ RESERVED
CVE-2017-1000112 [Exploitable memory corruption due to UFO to non-UFO path
switch]
- linux <unfixed> (low)
NOTE: Introduced by:
https://git.kernel.org/linus/e89e9cf539a28df7d0eb1d0a545368e9920b34ac
(2.6.15-rc1)
@@ -4,6 +48,7 @@
NOTE: Fixed by:
https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
NOTE: Harmless in Debian since unprivileged user namespaces are disabled
CVE-2017-1000117
+ {DSA-3934-1}
- git 1:2.14.1-1
NOTE:
https://public-inbox.org/git/xmqqh8xf482j....@gitster.mtv.corp.google.com/T/#u
CVE-2017-1000116 [command injection on clients through malicious ssh URLs]
@@ -3957,6 +4002,7 @@
CVE-2017-11174 (In install/page_dbsettings.php in the Core distribution of
XOOPS ...)
NOT-FOR-US: XOOPS
CVE-2017-11173 (Missing anchor in generated regex for rack-cors before 0.4.1
allows a ...)
+ {DSA-3931-1}
- ruby-rack-cors 0.4.1-1
[jessie] - ruby-rack-cors <not-affected> (Vulnerable code not present)
CVE-2017-11172
@@ -4696,6 +4742,7 @@
NOTE:
https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6
NOTE:
https://github.com/FreeRADIUS/freeradius-server/commit/4b059296e14b6ab75dc17163077490528a819806
CVE-2017-10983 (An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x
before ...)
+ {DSA-3930-1}
- freeradius 3.0.15+dfsg-1 (bug #868765)
NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-206
NOTE: 2.x:
https://github.com/FreeRADIUS/freeradius-server/commit/ec08b30f87066f82073d02fab57e8ffeef81373d
@@ -4733,6 +4780,7 @@
NOTE: This is not fully technically correct, the issue affects only the
2.x
NOTE: series but not 3.x.
CVE-2017-10978 (An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x
before ...)
+ {DSA-3930-1}
- freeradius 3.0.15+dfsg-1 (bug #868765)
NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-201
NOTE: 2.x:
https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68
@@ -6204,6 +6252,7 @@
NOT-FOR-US: Apache commons email
CVE-2017-9800 [Arbitrary code execution on clients through malicious svn+ssh
URLs in svn:externals and svn:sync-from-url]
RESERVED
+ {DSA-3932-1}
- subversion 1.9.7-1
NOTE: Fixed by:
http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691
NOTE: http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
@@ -8924,10 +8973,12 @@
[wheezy] - asterisk <not-affected> (Vulnerable code not present)
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-004.txt
CVE-2017-9359 (The multi-part body parser in PJSIP, as used in Asterisk Open
Source ...)
+ {DSA-3933-1}
- pjproject 2.5.5~dfsg-6 (bug #863902)
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-003.txt
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-26939
CVE-2017-9372 (PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and
14.x ...)
+ {DSA-3933-1}
- pjproject 2.5.5~dfsg-6 (bug #863901)
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-002.txt
CVE-2017-9355 (XML external entity (XXE) vulnerability in the import playlist
feature ...)
@@ -11413,8 +11464,8 @@
NOT-FOR-US: Microsoft
CVE-2017-8519 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server
2008 and ...)
NOT-FOR-US: Microsoft
-CVE-2017-8518
- RESERVED
+CVE-2017-8518 (Microsoft Edge allows a remote code execution vulnerability due
to the ...)
+ TODO: check
CVE-2017-8517 (Microsoft browsers in Microsoft Windows Server 2008 SP2 and R2
SP1, ...)
NOT-FOR-US: Microsoft
CVE-2017-8516 (Microsoft SQL Server Analysis Services in Microsoft SQL Server
2012, ...)
@@ -14460,6 +14511,7 @@
RESERVED
CVE-2017-7548 [lo_put() function ignores ACLs]
RESERVED
+ {DSA-3936-1 DSA-3935-1}
- postgresql-9.6 9.6.4-1
- postgresql-9.4 <removed>
- postgresql-9.1 <removed>
@@ -14468,6 +14520,7 @@
NOTE: https://www.postgresql.org/about/news/1772/
CVE-2017-7547 [The "pg_user_mappings" catalog view discloses passwords to
users lacking server privileges]
RESERVED
+ {DSA-3936-1 DSA-3935-1}
- postgresql-9.6 9.6.4-1
- postgresql-9.4 <removed>
- postgresql-9.1 <removed>
@@ -14476,6 +14529,7 @@
NOTE: https://www.postgresql.org/about/news/1772/
CVE-2017-7546 [Empty password accepted in some authentication methods]
RESERVED
+ {DSA-3936-1 DSA-3935-1}
- postgresql-9.6 9.6.4-1
- postgresql-9.4 <removed>
- postgresql-9.1 <removed>
@@ -27943,8 +27997,7 @@
{DSA-3792-1 DLA-910-1}
- libreoffice 1:5.2.3-1
NOTE:
https://www.libreoffice.org/about-us/security/advisories/cve-2017-3157/
-CVE-2017-3156
- RESERVED
+CVE-2017-3156 (The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF
prior to ...)
NOT-FOR-US: Apache CXF
CVE-2017-3155
RESERVED
@@ -28812,6 +28865,7 @@
RESERVED
CVE-2017-2885 [stack based buffer overflow with HTTP Chunked Encoding]
RESERVED
+ {DSA-3929-1}
- libsoup2.4 2.56.1-1 (bug #871650)
[wheezy] - libsoup2.4 <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785774
@@ -32068,8 +32122,8 @@
RESERVED
CVE-2017-1432
RESERVED
-CVE-2017-1431
- RESERVED
+CVE-2017-1431 (IBM InfoSphere Streams 4.0, 4.1, and 4.2 is vulnerable to
cross-site ...)
+ TODO: check
CVE-2017-1430
RESERVED
CVE-2017-1429
@@ -32176,8 +32230,8 @@
NOT-FOR-US: IBM
CVE-2017-1378
RESERVED
-CVE-2017-1377
- RESERVED
+CVE-2017-1377 (IBM Runbook Automation reveals sensitive information in error
messages ...)
+ TODO: check
CVE-2017-1376
RESERVED
CVE-2017-1375
@@ -32546,8 +32600,8 @@
NOT-FOR-US: IBM
CVE-2017-1193 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow
user to ...)
NOT-FOR-US: IBM
-CVE-2017-1192
- RESERVED
+CVE-2017-1192 (IBM Sterling B2B Integrator 5.2 is vulnerable to an XML
External ...)
+ TODO: check
CVE-2017-1191
RESERVED
CVE-2017-1190
@@ -32582,8 +32636,8 @@
NOT-FOR-US: IBM
CVE-2017-1175 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to
SQL ...)
NOT-FOR-US: IBM
-CVE-2017-1174
- RESERVED
+CVE-2017-1174 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable
to SQL ...)
+ TODO: check
CVE-2017-1173
RESERVED
CVE-2017-1172
@@ -32594,8 +32648,8 @@
NOT-FOR-US: IBM
CVE-2017-1169
RESERVED
-CVE-2017-1168
- RESERVED
+CVE-2017-1168 (IBM Rational Engineering Lifecycle Manager 4.0, 5.0, and 6.0 is
...)
+ TODO: check
CVE-2017-1167
RESERVED
CVE-2017-1166
@@ -37801,8 +37855,7 @@
[jessie] - apache2 <not-affected> (Vulnerable code not present)
[wheezy] - apache2 <not-affected> (Vulnerable code not present)
NOTE: HTTP/2 support introduced in 2.4.17
-CVE-2016-8739
- RESERVED
+CVE-2016-8739 (The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior
to ...)
NOT-FOR-US: Apache CXF
CVE-2016-8738
RESERVED
@@ -44049,8 +44102,7 @@
[jessie] - groovy2 2.2.2+dfsg-3+deb8u2
CVE-2016-6813
RESERVED
-CVE-2016-6812
- RESERVED
+CVE-2016-6812 (The HTTP transport module in Apache CXF prior to 3.0.12 and
3.1.x ...)
NOT-FOR-US: Apache CXF
CVE-2016-6811
REJECTED
@@ -44120,8 +44172,7 @@
NOTE: Fixed by:
https://svn.apache.org/viewvc?view=revision&revision=1758496 (6.0.x)
CVE-2016-6795
RESERVED
-CVE-2016-6794 [Apache Tomcat System Property Disclosure]
- RESERVED
+CVE-2016-6794 (When a SecurityManager is configured, a web application's
ability to ...)
{DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1}
- tomcat8 8.0.37-1 (low)
- tomcat7 7.0.72-1 (low; bug #842664)
@@ -50742,8 +50793,7 @@
NOT-FOR-US: BIG-IP
CVE-2016-5019 (CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0
through ...)
NOT-FOR-US: Apache MyFaces Trinidad
-CVE-2016-5018 [Apache Tomcat Security Manager Bypass]
- RESERVED
+CVE-2016-5018 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4,
8.0.0.RC1 to ...)
{DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1}
- tomcat8 8.0.37-1 (low)
- tomcat7 7.0.72-1 (low; bug #842663)
@@ -59892,6 +59942,7 @@
- bind9 <not-affected> (Introduced in Bind 9.10)
NOTE: https://kb.isc.org/article/AA-01351
CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat
2.11.0 ...)
+ {DLA-1050-1}
- xchat 2.8.8-10
[jessie] - xchat <no-dsa> (Minor issue)
- hexchat 2.12.4-4 (bug #852275)
@@ -64592,8 +64643,7 @@
- tomcat6 6.0.41-3
NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs
NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3
-CVE-2016-0762 [Apache Tomcat Realm Timing Attack]
- RESERVED
+CVE-2016-0762 (The Realm implementations in Apache Tomcat versions 9.0.0.M1 to
...)
{DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1}
- tomcat8 8.0.37-1 (low)
- tomcat7 7.0.72-1 (low; bug #842662)
@@ -117745,16 +117795,14 @@
- qemu-kvm <removed>
[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-0146
- RESERVED
+CVE-2014-0146 (The qcow2_open function in the (block/qcow2.c) in QEMU before
1.7.2 ...)
{DSA-3045-1 DSA-3044-1}
- qemu 2.0.0+dfsg-1 (bug #742730)
- qemu-kvm <removed>
[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
NOTE: Upstream commit:
http://git.qemu.org/?p=qemu.git;a=commit;h=11b128f4062dd7f89b14abc8877ff20d41b28be9
-CVE-2014-0145
- RESERVED
+CVE-2014-0145 (Multiple buffer overflows in QEMU before 1.7.2 and 2.x before
2.0.0, ...)
{DSA-3045-1 DSA-3044-1}
- qemu 2.0.0+dfsg-1 (bug #742730)
- qemu-kvm <removed>
@@ -117767,15 +117815,13 @@
- qemu-kvm <removed>
[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-0143
- RESERVED
+CVE-2014-0143 (Multiple integer overflows in the block drivers in QEMU,
possibly ...)
{DSA-3045-1 DSA-3044-1}
- qemu 2.0.0+dfsg-1 (bug #742730)
- qemu-kvm <removed>
[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-0142
- RESERVED
+CVE-2014-0142 (QEMU, possibly before 2.0.0, allows local users to cause a
denial of ...)
{DSA-3045-1 DSA-3044-1}
- qemu 2.0.0+dfsg-1 (bug #742730)
- qemu-kvm <removed>
@@ -208964,9 +209010,9 @@
[squeeze] - libvorbisidec <no-dsa> (Minor issue, no dev-deps)
- libvorbis 1.2.0.dfsg-3.1 (bug #482518)
CVE-2008-1422
- RESERVED
+ REJECTED
CVE-2008-1421
- RESERVED
+ REJECTED
CVE-2008-1420 (Integer overflow in residue partition value (aka partvals)
evaluation ...)
{DSA-1591-1}
- libvorbisidec <not-affected> (Vulnerable code not present)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
