Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: a83985ce by security tracker role at 2018-01-31T21:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,139 @@ +CVE-2018-6480 (A type confusion issue was discovered in CCN-lite 2, leading to a ...) + TODO: check +CVE-2018-6479 (An issue was discovered on Netwave IP Camera devices. An ...) + TODO: check +CVE-2018-6478 + RESERVED +CVE-2018-6477 + RESERVED +CVE-2018-6476 (In SUPERAntiSpyware Professional Trial 6.0.1254, the SASKUTIL.SYS ...) + TODO: check +CVE-2018-6475 (In SUPERAntiSpyware Professional Trial 6.0.1254, SUPERAntiSpyware.exe ...) + TODO: check +CVE-2018-6474 (In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file ...) + TODO: check +CVE-2018-6473 (In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file ...) + TODO: check +CVE-2018-6472 (In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file ...) + TODO: check +CVE-2018-6471 (In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file ...) + TODO: check +CVE-2018-6470 + RESERVED +CVE-2018-6469 + RESERVED +CVE-2018-6468 + RESERVED +CVE-2018-6467 + RESERVED +CVE-2018-6466 + RESERVED +CVE-2018-6465 (The PropertyHive plugin before 1.4.15 for WordPress has XSS via the ...) + TODO: check +CVE-2018-6464 (Simditor v2.3.11 allows XSS via crafted use of svg/onload=alert in a ...) + TODO: check +CVE-2018-6463 + RESERVED +CVE-2018-6462 (Tracker PDF-XChange Viewer and Viewer AX SDK before 2.5.322.8 mishandle ...) + TODO: check +CVE-2018-6461 + RESERVED +CVE-2018-6460 (Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and ...) + TODO: check +CVE-2018-6459 + RESERVED +CVE-2018-6458 + RESERVED +CVE-2018-6457 + RESERVED +CVE-2018-6456 + RESERVED +CVE-2018-6455 + RESERVED +CVE-2018-6454 + RESERVED +CVE-2018-6453 + RESERVED +CVE-2018-6452 + RESERVED +CVE-2018-6451 + RESERVED +CVE-2018-6450 + RESERVED +CVE-2018-6449 + RESERVED +CVE-2018-6448 + RESERVED +CVE-2018-6447 + RESERVED +CVE-2018-6446 + RESERVED +CVE-2018-6445 + RESERVED +CVE-2018-6444 + RESERVED +CVE-2018-6443 + RESERVED +CVE-2018-6442 + RESERVED +CVE-2018-6441 + RESERVED +CVE-2018-6440 + RESERVED +CVE-2018-6439 + RESERVED +CVE-2018-6438 + RESERVED +CVE-2018-6437 + RESERVED +CVE-2018-6436 + RESERVED +CVE-2018-6435 + RESERVED +CVE-2018-6434 + RESERVED +CVE-2018-6433 + RESERVED +CVE-2018-6432 + RESERVED +CVE-2018-6431 + RESERVED +CVE-2018-6430 + RESERVED +CVE-2018-6429 + RESERVED +CVE-2018-6428 + RESERVED +CVE-2018-6427 + RESERVED +CVE-2018-6426 + RESERVED +CVE-2018-6425 + RESERVED +CVE-2018-6424 + RESERVED +CVE-2018-6423 + RESERVED +CVE-2018-6422 + RESERVED +CVE-2018-6421 + RESERVED +CVE-2018-6420 + RESERVED +CVE-2018-6419 + RESERVED +CVE-2018-6418 + RESERVED +CVE-2018-6417 + RESERVED +CVE-2018-6416 + RESERVED +CVE-2018-6415 + RESERVED +CVE-2018-6414 + RESERVED +CVE-2018-6413 + RESERVED CVE-2018-6412 (In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c ...) - linux <unfixed> NOTE: https://marc.info/?l=linux-fbdev&m=151734425901499&w=2 @@ -62,8 +198,8 @@ CVE-2018-6386 RESERVED CVE-2018-6385 RESERVED -CVE-2018-6384 - RESERVED +CVE-2018-6384 (Unquoted Windows search path vulnerability in NSClient++ before ...) + TODO: check CVE-2018-6383 (Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that ...) NOT-FOR-US: Monstra CMS CVE-2018-6382 (MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via ...) @@ -1116,8 +1252,7 @@ CVE-2018-1000007 (libcurl 7.1 through 7.57.0 might accidentally leak authenticat - curl 7.58.0-1 NOTE: https://curl.haxx.se/docs/adv_2018-b3bf.html NOTE: Patch: https://github.com/curl/curl/commit/af32cd3859336ab.patch -CVE-2018-5996 [Memory Corruptions via RAR PPMd] - RESERVED +CVE-2018-5996 (Insufficient exception handling in the method ...) - p7zip-rar 16.02-2 (bug #888314) [stretch] - p7zip-rar <no-dsa> (Non-free not supported) [jessie] - p7zip-rar <no-dsa> (Non-free not supported) @@ -1604,8 +1739,7 @@ CVE-2018-5774 RESERVED CVE-2018-5773 (An issue was discovered in markdown2 (aka python-markdown2) through ...) NOT-FOR-US: python-markdown2 (not our markdown, different code base) -CVE-2017-18043 [integer overflow in ROUND_UP macro could result in DoS] - RESERVED +CVE-2017-18043 (Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) ...) - qemu 1:2.10.0+dfsg-2 [stretch] - qemu <postponed> (Can be fixed along in a future DSA) [jessie] - qemu <postponed> (Can be fixed along in a future DSA) @@ -1875,8 +2009,8 @@ CVE-2018-5703 (The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the L NOTE: https://lkml.org/lkml/2018/1/16/53 CVE-2017-18032 (The download-manager plugin before 2.9.52 for WordPress has XSS via the ...) NOT-FOR-US: download-manager plugin for WordPress -CVE-2018-5701 - RESERVED +CVE-2018-5701 (In Iolo System Shield AntiVirus and AntiSpyware 5.0.0.136, the amp.sys ...) + TODO: check CVE-2018-5700 (Winmail Server through 6.2 allows remote code execution by ...) NOT-FOR-US: Winmail Server CVE-2018-5699 @@ -2670,8 +2804,7 @@ CVE-2018-5346 RESERVED CVE-2018-1000004 (In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a ...) - linux <unfixed> -CVE-2018-1000001 [Libc Realpath Buffer Underflow] - RESERVED +CVE-2018-1000001 (In glibc 2.26 and earlier there is confusion in the usage of getcwd() ...) - glibc 2.26-4 (bug #887001) [stretch] - glibc <postponed> (Minor issue, can be fixed along in next DSA or preferably point release) [jessie] - glibc <postponed> (Minor issue, can be fixed along in next DSA or preferably point release) @@ -6855,8 +6988,7 @@ CVE-2017-17948 (Cells Blog 3.5 has XSS via the jfdname parameter in an act=showp NOT-FOR-US: Cells Blog CVE-2017-17947 (A cross site scripting issue has been found in custompage.cgi in Pulse ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure -CVE-2017-1000411 - RESERVED +CVE-2017-1000411 (OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, ...) NOT-FOR-US: OpenDayLight CVE-2017-17946 (A buffer overflow in Handy Password 4.9.3 allows remote attackers to ...) NOT-FOR-US: Handy Password @@ -16606,8 +16738,8 @@ CVE-2018-0138 RESERVED CVE-2018-0137 RESERVED -CVE-2018-0136 - RESERVED +CVE-2018-0136 (A vulnerability in the IPv6 subsystem of Cisco IOS XR Software Release ...) + TODO: check CVE-2018-0135 RESERVED CVE-2018-0134 @@ -16810,8 +16942,8 @@ CVE-2017-16947 RESERVED CVE-2017-16946 (The admin_edit function in app/Controller/UsersController.php in MISP ...) NOT-FOR-US: MISP -CVE-2017-16945 - RESERVED +CVE-2017-16945 (The standardrestorer binary in Arq 5.10 and earlier for Mac allows ...) + TODO: check CVE-2017-16942 (In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists ...) - libsndfile 1.0.27-1 [jessie] - libsndfile <no-dsa> (Minor issue) @@ -16891,8 +17023,8 @@ CVE-2017-16930 (The remote management interface on the Claymore Dual GPU miner 1 NOT-FOR-US: Claymore's Dual Ethereum+Decred AMD+NVIDIA GPU Miner CVE-2017-16929 (The remote management interface on the Claymore Dual GPU miner 10.1 is ...) NOT-FOR-US: Claymore's Dual Ethereum+Decred AMD+NVIDIA GPU Miner -CVE-2017-16928 - RESERVED +CVE-2017-16928 (The arq_updater binary in Arq 5.10 and earlier for Mac allows local ...) + TODO: check CVE-2017-16927 (The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session ...) {DLA-1203-1} - xrdp 0.9.4-3 (bug #882463) @@ -17523,8 +17655,8 @@ CVE-2017-16860 RESERVED CVE-2017-16859 RESERVED -CVE-2017-16858 - RESERVED +CVE-2017-16858 (The 'crowd-application' plugin module (notably used by the Google Apps ...) + TODO: check CVE-2017-16857 (It is possible to bypass the bitbucket auto-unapprove plugin via ...) NOT-FOR-US: Atlassian CVE-2017-16856 (The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows ...) @@ -20785,8 +20917,8 @@ CVE-2017-15708 (In Apache Synapse, by default no authentication is required for NOT-FOR-US: Apache Synapse CVE-2017-15707 (In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated ...) - libstruts1.2-java <not-affected> (Specific to 2.x) -CVE-2017-15706 - RESERVED +CVE-2017-15706 (As part of the fix for bug 61201, the documentation for Apache Tomcat ...) + TODO: check CVE-2017-15705 RESERVED CVE-2017-15704 @@ -20802,8 +20934,8 @@ CVE-2017-15700 (A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectVali CVE-2017-15699 RESERVED TODO: check, this is possibly specific to AMQ Interconnect as used by Red Hat JBoss, although based on Apache Qpid project -CVE-2017-15698 - RESERVED +CVE-2017-15698 (When parsing the AIA-Extension field of a client certificate, Apache ...) + TODO: check CVE-2017-15697 (A malicious X-ProxyContextPath or X-Forwarded-Context header ...) NOT-FOR-US: Apache NiFi CVE-2017-15696 @@ -20910,14 +21042,14 @@ CVE-2017-15658 RESERVED CVE-2017-15657 RESERVED -CVE-2017-15656 - RESERVED -CVE-2017-15655 - RESERVED -CVE-2017-15654 - RESERVED -CVE-2017-15653 - RESERVED +CVE-2017-15656 (Password are stored in plaintext in nvram in the HTTPd server in all ...) + TODO: check +CVE-2017-15655 (Multiple buffer overflow vulnerabilities exist in the HTTPd server in ...) + TODO: check +CVE-2017-15654 (Highly predictable session tokens in the HTTPd server in all current ...) + TODO: check +CVE-2017-15653 (Improper administrator IP validation after his login in the HTTPd ...) + TODO: check CVE-2017-15652 RESERVED CVE-2017-15651 (PRTG Network Monitor 17.3.33.2830 allows remote authenticated ...) @@ -41244,8 +41376,8 @@ CVE-2017-8918 (XXE in Dive Assistant - Template Builder in Blackwave Dive Assist NOT-FOR-US: Dive Assistant CVE-2017-8917 (SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows ...) NOT-FOR-US: Joomla -CVE-2017-8916 - RESERVED +CVE-2017-8916 (In Center for Internet Security CIS-CAT Pro Dashboard before 1.0.4, an ...) + TODO: check CVE-2017-8915 (sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers ...) NOT-FOR-US: SAP CVE-2017-8914 (sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers ...) @@ -62956,8 +63088,8 @@ CVE-2017-1775 RESERVED CVE-2017-1774 RESERVED -CVE-2017-1773 - RESERVED +CVE-2017-1773 (IBM DataPower Gateways 7.1, 7,2, 7.5, and 7.6 could allow an attacker ...) + TODO: check CVE-2017-1772 RESERVED CVE-2017-1771 @@ -64036,8 +64168,8 @@ CVE-2017-1235 (IBM WebSphere MQ 8.0 could allow an authenticated user to cause a NOT-FOR-US: IBM CVE-2017-1234 (IBM QRadar 7.2 and 7.3 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM -CVE-2017-1233 - RESERVED +CVE-2017-1233 (IBM Remote Control v9 could allow a local user to use the component to ...) + TODO: check CVE-2017-1232 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1231 @@ -87843,11 +87975,13 @@ CVE-2016-3122 CVE-2016-3121 RESERVED CVE-2016-3120 (The validate_as_request function in kdc_util.c in the Key Distribution ...) + {DLA-1265-1} - krb5 1.14.3+dfsg-1 (bug #832572) [jessie] - krb5 1.12.1+dfsg-19+deb8u3 NOTE: https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8458 CVE-2016-3119 (The process_db_args function in ...) + {DLA-1265-1} - krb5 1.14.2+dfsg-1 (bug #819468) [jessie] - krb5 1.12.1+dfsg-19+deb8u3 NOTE: https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99 @@ -134460,6 +134594,7 @@ CVE-2014-5358 CVE-2014-5357 RESERVED CVE-2014-5355 (MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a ...) + {DLA-1265-1} - krb5 1.12.1+dfsg-18 (bug #778647) [squeeze] - krb5 <no-dsa> (Minor issue) NOTE: Upstream commit: https://github.com/krb5/krb5/commit/102bb6ebf20f9174130c85c3b052ae104e5073ec @@ -134469,6 +134604,7 @@ CVE-2014-5354 (plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 [squeeze] - krb5 <not-affected> (do not expose a way for principal entries to have no long-term key material) NOTE: Upstream commit: https://github.com/krb5/krb5/commit/04038bf3633c4b909b5ded3072dc88c8c419bf16 CVE-2014-5353 (The krb5_ldap_get_password_policy_from_dn function in ...) + {DLA-1265-1} - krb5 1.12.1+dfsg-16 (bug #773226) [squeeze] - krb5 <no-dsa> (Minor issue, needs elevated privileges to trigger crash) NOTE: Upstream commit: https://github.com/krb5/krb5/commit/d1f707024f1d0af6e54a18885322d70fa15ec4d3 @@ -134476,6 +134612,7 @@ CVE-2014-5352 (The krb5_gss_process_context_token function in ...) {DSA-3153-1 DLA-146-1} - krb5 1.12.1+dfsg-17 CVE-2014-5351 (The kadm5_randkey_principal_3 function in ...) + {DLA-1265-1} - krb5 1.12.1+dfsg-10 (bug #762479) [squeeze] - krb5 <no-dsa> (Minor issue) NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018 @@ -144713,11 +144850,9 @@ CVE-2014-1634 RESERVED CVE-2014-1633 RESERVED -CVE-2014-1632 - RESERVED +CVE-2014-1632 (htdocs/setup/index.php in Eventum before 2.3.5 allows remote attackers ...) NOT-FOR-US: Eventum -CVE-2014-1631 - RESERVED +CVE-2014-1631 (Eventum before 2.3.5 allows remote attackers to reinstall the ...) NOT-FOR-US: Eventum CVE-2014-1630 RESERVED @@ -165093,6 +165228,7 @@ CVE-2013-1420 CVE-2013-1419 RESERVED CVE-2013-1418 (The setup_server_realm function in main.c in the Key Distribution ...) + {DLA-1265-1} - krb5 1.11.3+dfsg-3+nmu1 (low; bug #728845) [squeeze] - krb5 <no-dsa> (Minor issue) NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7757 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a83985ce70341268b0eba21619acf04863efc926 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a83985ce70341268b0eba21619acf04863efc926 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits