Author: jmm
Date: 2017-02-08 18:15:56 +0000 (Wed, 08 Feb 2017)
New Revision: 48774
Modified:
data/CVE/list
Log:
new php non-issue
NFUs
some android-specific Linux patches
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-02-08 18:08:33 UTC (rev 48773)
+++ data/CVE/list 2017-02-08 18:15:56 UTC (rev 48774)
@@ -853,7 +853,9 @@
CVE-2017-5631
RESERVED
CVE-2017-5630 (PECL in the download utility class in the Installer in PEAR
Base System ...)
- TODO: check
+ - php5 <unfixed> (unimportant)
+ - php-pear <unfixed> (unimportant)
+ NOTE: pear performs no kind of authentication/integrity checks for
downloads, so an attacker can MITM freely anyway
CVE-2017-5629
RESERVED
CVE-2017-5626
@@ -14528,7 +14530,6 @@
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=67397
NOTE: Upstream patch:
https://bugs.php.net/patch-display.php?bug_id=67397&patch=bug67397-patch&revision=latest
NOTE: PHP workaround for CVE-2014-9911 in icu
- TODO: double-check first fixing version in unstable
CVE-2016-4412 (An issue was discovered in phpMyAdmin. A user can be tricked
into ...)
{DLA-757-1}
- phpmyadmin 4:4.1.7-1
@@ -22295,7 +22296,7 @@
NOTE: Fixed by: http://hg.moinmo.in/moin/1.9/rev/eceb70c41ecc
NOTE:
https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html
CVE-2016-7147 (Cross-site scripting (XSS) vulnerability in the
manage_findResult ...)
- TODO: check
+ NOT-FOR-US: Plone
CVE-2016-7146 (MoinMoin 1.9.8 allows remote attackers to conduct
"JavaScript ...)
{DSA-3715-1 DLA-717-1}
- moin 1.9.9-1 (bug #844340)
@@ -23694,7 +23695,7 @@
CVE-2016-6699 (A remote code execution vulnerability in libstagefright in
Mediaserver ...)
NOT-FOR-US: libstagefright
CVE-2016-6698 (An information disclosure vulnerability in Qualcomm components
...)
- TODO: check
+ NOT-FOR-US: Qualcomm driver for Android
CVE-2016-6697
RESERVED
CVE-2016-6696 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm
QDSP6v2 ...)
@@ -23800,7 +23801,7 @@
CVE-2016-6668 (The Atlassian Hipchat Integration Plugin for Bitbucket Server
6.26.0 ...)
NOT-FOR-US: Atlassian Hipchat Integration Plugin for Bitbucket Server
CVE-2016-6667 (NetApp OnCommand Unified Manager for Clustered Data ONTAP 6.3
through ...)
- TODO: check
+ NOT-FOR-US: NetApp
CVE-2016-6666
RESERVED
CVE-2016-6665
@@ -24575,7 +24576,7 @@
NOTE: Introduced by:
https://git.kernel.org/linus/54dbc15172375641ef03399e8f911d7165eb90fb (v4.5-rc1)
NOTE: Fixed by:
https://git.kernel.org/linus/10eec60ce79187686e052092e5383c99b4420a20
CVE-2016-6495 (NetApp Data ONTAP before 8.2.4P5, when operating in 7-Mode,
allows ...)
- TODO: check
+ NOT-FOR-US: NetApp
CVE-2016-6493 (Citrix XenApp 6.x before 6.5 HRP07 and 7.x before 7.9 and
Citrix ...)
NOT-FOR-US: Citrix
CVE-2016-XXXX [bruteforcable challenge responses in unprotected logfile]
@@ -24618,7 +24619,7 @@
CVE-2016-6485
RESERVED
CVE-2016-6484 (CRLF injection vulnerability in Infoblox Network Automation
NetMRI ...)
- TODO: check
+ NOT-FOR-US: Infoblox Network Automation NetMR
CVE-2016-6513 (epan/dissectors/packet-wbxml.c in the WBXML dissector in
Wireshark 2.x ...)
- wireshark 2.0.5+ga3be9c6-1
[jessie] - wireshark <not-affected> (Only affects 2.x)
@@ -24750,41 +24751,41 @@
CVE-2016-6475
RESERVED
CVE-2016-6474 (A vulnerability in the implementation of X.509 Version 3 for
SSH ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6473 (A vulnerability in Cisco IOS on Catalyst Switches and Nexus
9300 Series ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6472 (A vulnerability in several parameters of the ccmivr page of
Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6471 (A vulnerability in the web-based management interface of Cisco
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6470 (A vulnerability in the installation procedure of the Cisco
Hybrid Media ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6469 (A vulnerability in HTTP URL parsing of Cisco AsyncOS for Cisco
Web ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6468 (A vulnerability in the web-based management interface of Cisco
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6467 (A vulnerability in IPv6 packet fragment reassembly of StarOS
for Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6466 (A vulnerability in the IPsec component of StarOS for Cisco ASR
5000 ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6465 (A vulnerability in the content filtering functionality of Cisco
AsyncOS ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6464 (A vulnerability in the web management interface of the Cisco
Unified ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6463 (A vulnerability in the email filtering functionality of Cisco
AsyncOS ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6462 (A vulnerability in the email filtering functionality of Cisco
AsyncOS ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6461 (A vulnerability in the HTTP web-based management interface of
the Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6460 (A vulnerability in the FTP Representational State Transfer
Application ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6459 (Cisco TelePresence endpoints running either CE or TC software
contain a ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6458 (A vulnerability in the content filtering functionality of Cisco
AsyncOS ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6457 (A vulnerability in the Cisco Nexus 9000 Series Platform Leaf
Switches ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6456
RESERVED
CVE-2016-6455 (A vulnerability in the Slowpath of StarOS for Cisco ASR 5500
Series ...)
@@ -24798,9 +24799,9 @@
CVE-2016-6451 (Multiple vulnerabilities in the web framework code of the Cisco
Prime ...)
NOT-FOR-US: Cisco
CVE-2016-6450 (A vulnerability in the package unbundle utility of Cisco IOS XE
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6449 (A vulnerability in the system management of certain FireAMP
system ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6448 (A vulnerability in the Session Description Protocol (SDP)
parser of ...)
NOT-FOR-US: Cisco
CVE-2016-6447 (A vulnerability in Cisco Meeting Server and Meeting App could
allow an ...)
@@ -28376,7 +28377,7 @@
CVE-2016-5373
RESERVED
CVE-2016-5372 (Cross-site request forgery (CSRF) vulnerability in NetApp Snap
Creator ...)
- TODO: check
+ NOT-FOR-US: NetApp
CVE-2016-5371
RESERVED
CVE-2016-5370
@@ -28408,7 +28409,7 @@
CVE-2016-5349
RESERVED
CVE-2016-5348 (The GPS component in Android 4.x before 4.4.4, 5.0.x before
5.0.2, ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-5347
RESERVED
CVE-2016-5346
@@ -28417,15 +28418,15 @@
RESERVED
NOT-FOR-US: Qualcomm radio driver for Android
CVE-2016-5344 (Multiple integer overflows in the MDSS driver for the Linux
kernel ...)
- TODO: check
+ - linux <not-affected> (Android-specific kernel patch)
CVE-2016-5343 (drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice
Service ...)
- TODO: check
+ - linux <not-affected> (Android-specific kernel patch)
CVE-2016-5342 (Heap-based buffer overflow in the wcnss_wlan_write function in
...)
- TODO: check
+ - linux <not-affected> (Android-specific kernel patch)
CVE-2016-5341 (The GPS component in Android before 2016-12-05 allows ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-5340 (The is_ashmem_file function in drivers/staging/android/ashmem.c
in a ...)
- TODO: check
+ - linux <not-affected> (Android-specific kernel patch,
is_ashmem_file/put_ashmem_file not present in mainline kernel)
CVE-2016-5339
RESERVED
CVE-2014-9862 (Integer signedness error in bspatch.c in bspatch in bsdiff, as
used in ...)
@@ -28462,13 +28463,13 @@
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01969.html
NOTE:
http://git.qemu.org/?p=qemu.git;a=commit;h=844864fbae66935951529408831c2f22367a57b6
CVE-2016-5336 (VMware vRealize Automation 7.0.x before 7.1 allows remote
attackers to ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2016-5335 (VMware Identity Manager 2.x before 2.7 and vRealize Automation
7.0.x ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2016-5334 (VMware Identity Manager 2.x before 2.7.1 and vRealize
Automation 7.x ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2016-5333 (VMware Photos OS OVA 1.0 before 2016-08-14 has a default SSH
public ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2016-5332 (Directory traversal vulnerability in VMware vRealize Log
Insight 2.x ...)
NOT-FOR-US: vRealize Log Insight
CVE-2016-5331 (CRLF injection vulnerability in VMware vCenter Server 6.0
before U2 ...)
_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
