Author: sectracker Date: 2017-08-10 21:10:12 +0000 (Thu, 10 Aug 2017) New Revision: 54583
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-08-10 21:07:04 UTC (rev 54582) +++ data/CVE/list 2017-08-10 21:10:12 UTC (rev 54583) @@ -1,3 +1,47 @@ +CVE-2017-12799 (The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows ...) + TODO: check +CVE-2017-12798 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the q ...) + TODO: check +CVE-2017-12797 + RESERVED +CVE-2017-12796 + RESERVED +CVE-2017-12795 + RESERVED +CVE-2017-12794 + RESERVED +CVE-2017-12793 + RESERVED +CVE-2017-12792 + RESERVED +CVE-2017-12791 + RESERVED +CVE-2017-12790 + RESERVED +CVE-2017-12789 + RESERVED +CVE-2017-12788 + RESERVED +CVE-2017-12787 + RESERVED +CVE-2017-12786 + RESERVED +CVE-2017-12785 + RESERVED +CVE-2017-12784 + RESERVED +CVE-2017-12783 + RESERVED +CVE-2017-12782 + RESERVED +CVE-2017-12781 + RESERVED +CVE-2017-12780 + RESERVED +CVE-2017-12779 + RESERVED +CVE-2017-12778 + RESERVED CVE-2017-1000112 [Exploitable memory corruption due to UFO to non-UFO path switch] - linux <unfixed> (low) NOTE: Introduced by: https://git.kernel.org/linus/e89e9cf539a28df7d0eb1d0a545368e9920b34ac (2.6.15-rc1) @@ -4,6 +48,7 @@ NOTE: Fixed by: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa NOTE: Harmless in Debian since unprivileged user namespaces are disabled CVE-2017-1000117 + {DSA-3934-1} - git 1:2.14.1-1 NOTE: https://public-inbox.org/git/xmqqh8xf482j....@gitster.mtv.corp.google.com/T/#u CVE-2017-1000116 [command injection on clients through malicious ssh URLs] @@ -3957,6 +4002,7 @@ CVE-2017-11174 (In install/page_dbsettings.php in the Core distribution of XOOPS ...) NOT-FOR-US: XOOPS CVE-2017-11173 (Missing anchor in generated regex for rack-cors before 0.4.1 allows a ...) + {DSA-3931-1} - ruby-rack-cors 0.4.1-1 [jessie] - ruby-rack-cors <not-affected> (Vulnerable code not present) CVE-2017-11172 @@ -4696,6 +4742,7 @@ NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/4b059296e14b6ab75dc17163077490528a819806 CVE-2017-10983 (An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before ...) + {DSA-3930-1} - freeradius 3.0.15+dfsg-1 (bug #868765) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-206 NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/ec08b30f87066f82073d02fab57e8ffeef81373d @@ -4733,6 +4780,7 @@ NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. CVE-2017-10978 (An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before ...) + {DSA-3930-1} - freeradius 3.0.15+dfsg-1 (bug #868765) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-201 NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68 @@ -6204,6 +6252,7 @@ NOT-FOR-US: Apache commons email CVE-2017-9800 [Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url] RESERVED + {DSA-3932-1} - subversion 1.9.7-1 NOTE: Fixed by: http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691 NOTE: http://subversion.apache.org/security/CVE-2017-9800-advisory.txt @@ -8924,10 +8973,12 @@ [wheezy] - asterisk <not-affected> (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-004.txt CVE-2017-9359 (The multi-part body parser in PJSIP, as used in Asterisk Open Source ...) + {DSA-3933-1} - pjproject 2.5.5~dfsg-6 (bug #863902) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-003.txt NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-26939 CVE-2017-9372 (PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x ...) + {DSA-3933-1} - pjproject 2.5.5~dfsg-6 (bug #863901) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-002.txt CVE-2017-9355 (XML external entity (XXE) vulnerability in the import playlist feature ...) @@ -11413,8 +11464,8 @@ NOT-FOR-US: Microsoft CVE-2017-8519 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft -CVE-2017-8518 - RESERVED +CVE-2017-8518 (Microsoft Edge allows a remote code execution vulnerability due to the ...) + TODO: check CVE-2017-8517 (Microsoft browsers in Microsoft Windows Server 2008 SP2 and R2 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8516 (Microsoft SQL Server Analysis Services in Microsoft SQL Server 2012, ...) @@ -14460,6 +14511,7 @@ RESERVED CVE-2017-7548 [lo_put() function ignores ACLs] RESERVED + {DSA-3936-1 DSA-3935-1} - postgresql-9.6 9.6.4-1 - postgresql-9.4 <removed> - postgresql-9.1 <removed> @@ -14468,6 +14520,7 @@ NOTE: https://www.postgresql.org/about/news/1772/ CVE-2017-7547 [The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges] RESERVED + {DSA-3936-1 DSA-3935-1} - postgresql-9.6 9.6.4-1 - postgresql-9.4 <removed> - postgresql-9.1 <removed> @@ -14476,6 +14529,7 @@ NOTE: https://www.postgresql.org/about/news/1772/ CVE-2017-7546 [Empty password accepted in some authentication methods] RESERVED + {DSA-3936-1 DSA-3935-1} - postgresql-9.6 9.6.4-1 - postgresql-9.4 <removed> - postgresql-9.1 <removed> @@ -27943,8 +27997,7 @@ {DSA-3792-1 DLA-910-1} - libreoffice 1:5.2.3-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2017-3157/ -CVE-2017-3156 - RESERVED +CVE-2017-3156 (The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to ...) NOT-FOR-US: Apache CXF CVE-2017-3155 RESERVED @@ -28812,6 +28865,7 @@ RESERVED CVE-2017-2885 [stack based buffer overflow with HTTP Chunked Encoding] RESERVED + {DSA-3929-1} - libsoup2.4 2.56.1-1 (bug #871650) [wheezy] - libsoup2.4 <not-affected> (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785774 @@ -32068,8 +32122,8 @@ RESERVED CVE-2017-1432 RESERVED -CVE-2017-1431 - RESERVED +CVE-2017-1431 (IBM InfoSphere Streams 4.0, 4.1, and 4.2 is vulnerable to cross-site ...) + TODO: check CVE-2017-1430 RESERVED CVE-2017-1429 @@ -32176,8 +32230,8 @@ NOT-FOR-US: IBM CVE-2017-1378 RESERVED -CVE-2017-1377 - RESERVED +CVE-2017-1377 (IBM Runbook Automation reveals sensitive information in error messages ...) + TODO: check CVE-2017-1376 RESERVED CVE-2017-1375 @@ -32546,8 +32600,8 @@ NOT-FOR-US: IBM CVE-2017-1193 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow user to ...) NOT-FOR-US: IBM -CVE-2017-1192 - RESERVED +CVE-2017-1192 (IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External ...) + TODO: check CVE-2017-1191 RESERVED CVE-2017-1190 @@ -32582,8 +32636,8 @@ NOT-FOR-US: IBM CVE-2017-1175 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to SQL ...) NOT-FOR-US: IBM -CVE-2017-1174 - RESERVED +CVE-2017-1174 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL ...) + TODO: check CVE-2017-1173 RESERVED CVE-2017-1172 @@ -32594,8 +32648,8 @@ NOT-FOR-US: IBM CVE-2017-1169 RESERVED -CVE-2017-1168 - RESERVED +CVE-2017-1168 (IBM Rational Engineering Lifecycle Manager 4.0, 5.0, and 6.0 is ...) + TODO: check CVE-2017-1167 RESERVED CVE-2017-1166 @@ -37801,8 +37855,7 @@ [jessie] - apache2 <not-affected> (Vulnerable code not present) [wheezy] - apache2 <not-affected> (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 -CVE-2016-8739 - RESERVED +CVE-2016-8739 (The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to ...) NOT-FOR-US: Apache CXF CVE-2016-8738 RESERVED @@ -44049,8 +44102,7 @@ [jessie] - groovy2 2.2.2+dfsg-3+deb8u2 CVE-2016-6813 RESERVED -CVE-2016-6812 - RESERVED +CVE-2016-6812 (The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x ...) NOT-FOR-US: Apache CXF CVE-2016-6811 REJECTED @@ -44120,8 +44172,7 @@ NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1758496 (6.0.x) CVE-2016-6795 RESERVED -CVE-2016-6794 [Apache Tomcat System Property Disclosure] - RESERVED +CVE-2016-6794 (When a SecurityManager is configured, a web application's ability to ...) {DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1} - tomcat8 8.0.37-1 (low) - tomcat7 7.0.72-1 (low; bug #842664) @@ -50742,8 +50793,7 @@ NOT-FOR-US: BIG-IP CVE-2016-5019 (CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through ...) NOT-FOR-US: Apache MyFaces Trinidad -CVE-2016-5018 [Apache Tomcat Security Manager Bypass] - RESERVED +CVE-2016-5018 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to ...) {DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1} - tomcat8 8.0.37-1 (low) - tomcat7 7.0.72-1 (low; bug #842663) @@ -59892,6 +59942,7 @@ - bind9 <not-affected> (Introduced in Bind 9.10) NOTE: https://kb.isc.org/article/AA-01351 CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat 2.11.0 ...) + {DLA-1050-1} - xchat 2.8.8-10 [jessie] - xchat <no-dsa> (Minor issue) - hexchat 2.12.4-4 (bug #852275) @@ -64592,8 +64643,7 @@ - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3 -CVE-2016-0762 [Apache Tomcat Realm Timing Attack] - RESERVED +CVE-2016-0762 (The Realm implementations in Apache Tomcat versions 9.0.0.M1 to ...) {DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1} - tomcat8 8.0.37-1 (low) - tomcat7 7.0.72-1 (low; bug #842662) @@ -117745,16 +117795,14 @@ - qemu-kvm <removed> [squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts) [squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts) -CVE-2014-0146 - RESERVED +CVE-2014-0146 (The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm <removed> [squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts) [squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit;h=11b128f4062dd7f89b14abc8877ff20d41b28be9 -CVE-2014-0145 - RESERVED +CVE-2014-0145 (Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm <removed> @@ -117767,15 +117815,13 @@ - qemu-kvm <removed> [squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts) [squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts) -CVE-2014-0143 - RESERVED +CVE-2014-0143 (Multiple integer overflows in the block drivers in QEMU, possibly ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm <removed> [squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts) [squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts) -CVE-2014-0142 - RESERVED +CVE-2014-0142 (QEMU, possibly before 2.0.0, allows local users to cause a denial of ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm <removed> @@ -208964,9 +209010,9 @@ [squeeze] - libvorbisidec <no-dsa> (Minor issue, no dev-deps) - libvorbis 1.2.0.dfsg-3.1 (bug #482518) CVE-2008-1422 - RESERVED + REJECTED CVE-2008-1421 - RESERVED + REJECTED CVE-2008-1420 (Integer overflow in residue partition value (aka partvals) evaluation ...) {DSA-1591-1} - libvorbisidec <not-affected> (Vulnerable code not present) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits