Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: d1f90040 by security tracker role at 2018-02-17T09:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,5 @@ +CVE-2018-7191 + RESERVED CVE-2018-7190 RESERVED CVE-2018-7189 @@ -32,14 +34,14 @@ CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...) CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a %s ...) - leptonlib 1.75.3-2 (bug #890548) NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a -CVE-2018-7180 - RESERVED -CVE-2018-7179 - RESERVED -CVE-2018-7178 - RESERVED -CVE-2018-7177 - RESERVED +CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! ...) + TODO: check +CVE-2018-7179 (SQL Injection exists in the SquadManagement 1.0.3 component for Joomla! ...) + TODO: check +CVE-2018-7178 (SQL Injection exists in the Saxum Picker 3.2.10 component for Joomla! ...) + TODO: check +CVE-2018-7177 (SQL Injection exists in the Saxum Numerology 3.0.4 component for ...) + TODO: check CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a ...) - frontaccounting <removed> (bug #890604) [wheezy] - frontaccounting <end-of-life> (unsupported in wheezy, already vulnerable to SQL injection in CVE-2014-3973) @@ -1615,12 +1617,12 @@ CVE-2017-18123 (The call parameter of /lib/exe/ajax.php in DokuWiki through 2017 - dokuwiki <unfixed> (bug #889281) NOTE: https://github.com/splitbrain/dokuwiki/issues/2029 NOTE: https://github.com/splitbrain/dokuwiki/commit/238b8e878ad48f370903465192b57c2072f65d86 -CVE-2018-6585 - RESERVED -CVE-2018-6584 - RESERVED -CVE-2018-6583 - RESERVED +CVE-2018-6585 (SQL Injection exists in the JTicketing 2.0.16 component for Joomla! via ...) + TODO: check +CVE-2018-6584 (SQL Injection exists in the DT Register 3.2.7 component for Joomla! via ...) + TODO: check +CVE-2018-6583 (SQL Injection exists in the Timetable Responsive Schedule 1.5 component ...) + TODO: check CVE-2018-6582 (SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! ...) NOT-FOR-US: Zh GoogleMap component for Joomla! CVE-2018-6581 (SQL Injection exists in the JMS Music 1.1.1 component for Joomla! via a ...) @@ -2180,12 +2182,12 @@ CVE-2018-6398 (SQL Injection exists in the CP Event Calendar 3.0.1 component for NOT-FOR-US: CP Event Calendar component for Joomla! CVE-2018-6397 (Directory Traversal exists in the Picture Calendar 3.1.4 component for ...) NOT-FOR-US: Picture Calendar component for Joomla! -CVE-2018-6396 - RESERVED +CVE-2018-6396 (SQL Injection exists in the Google Map Landkarten through 4.2.3 ...) + TODO: check CVE-2018-6395 (SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! ...) NOT-FOR-US: Visual Calendar component for Joomla! -CVE-2018-6394 - RESERVED +CVE-2018-6394 (SQL Injection exists in the InviteX 3.0.5 component for Joomla! via the ...) + TODO: check CVE-2018-6393 (** DISPUTED ** FreePBX 10.13.66-32bit and 14.0.1.24 ...) NOT-FOR-US: FreePBX CVE-2018-6392 (The filter_slice function in libavfilter/vf_transpose.c in FFmpeg ...) @@ -2305,18 +2307,18 @@ CVE-2018-6375 RESERVED CVE-2018-6374 (The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients ...) NOT-FOR-US: PulseUI in Pulse Secure Desktop Linux clients -CVE-2018-6373 - RESERVED -CVE-2018-6372 - RESERVED +CVE-2018-6373 (SQL Injection exists in the Fastball 2.5 component for Joomla! via the ...) + TODO: check +CVE-2018-6372 (SQL Injection exists in the JB Bus 2.3 component for Joomla! via the ...) + TODO: check CVE-2018-6371 RESERVED -CVE-2018-6370 - RESERVED +CVE-2018-6370 (SQL Injection exists in the NeoRecruit 4.1 component for Joomla! via ...) + TODO: check CVE-2018-6369 RESERVED -CVE-2018-6368 - RESERVED +CVE-2018-6368 (SQL Injection exists in the JomEstate PRO through 3.7 component for ...) + TODO: check CVE-2018-6367 (SQL Injection exists in Vastal I-Tech Buddy Zone Facebook Clone 2.9.9 ...) NOT-FOR-US: Vastal I-Tech Buddy Zone Facebook Clone CVE-2018-6366 @@ -2669,8 +2671,8 @@ CVE-2018-6220 RESERVED CVE-2018-6219 RESERVED -CVE-2018-6218 - RESERVED +CVE-2018-6218 (A DLL Hijacking vulnerability in Trend Micro's User-Mode Hooking ...) + TODO: check CVE-2018-6217 (The WStr::_alloc_iostr_data() function in kso.dll in Kingsoft WPS ...) NOT-FOR-US: Kingsoft WPS Office CVE-2018-6216 @@ -3251,12 +3253,12 @@ CVE-2018-6008 (Arbitrary File Download exists in the Jtag Members Directory 5.3. NOT-FOR-US: Jtag Members Directory component for Joomla! CVE-2018-6007 (CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and ...) NOT-FOR-US: Support Ticket component for Joomla! -CVE-2018-6006 - RESERVED -CVE-2018-6005 - RESERVED -CVE-2018-6004 - RESERVED +CVE-2018-6006 (SQL Injection exists in the JS Autoz 1.0.9 component for Joomla! via ...) + TODO: check +CVE-2018-6005 (SQL Injection exists in the Realpin through 1.5.04 component for ...) + TODO: check +CVE-2018-6004 (SQL Injection exists in the File Download Tracker 3.0 component for ...) + TODO: check CVE-2017-18074 RESERVED CVE-2017-18073 @@ -3349,36 +3351,36 @@ CVE-2018-5996 (Insufficient exception handling in the method ...) NOTE: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ CVE-2018-5995 RESERVED -CVE-2018-5994 - RESERVED -CVE-2018-5993 - RESERVED -CVE-2018-5992 - RESERVED -CVE-2018-5991 - RESERVED -CVE-2018-5990 - RESERVED -CVE-2018-5989 - RESERVED +CVE-2018-5994 (SQL Injection exists in the JS Jobs 1.1.9 component for Joomla! via the ...) + TODO: check +CVE-2018-5993 (SQL Injection exists in the Aist through 2.0 component for Joomla! via ...) + TODO: check +CVE-2018-5992 (SQL Injection exists in the Staff Master through 1.0 RC 1 component for ...) + TODO: check +CVE-2018-5991 (SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via ...) + TODO: check +CVE-2018-5990 (SQL Injection exists in the AllVideos Reloaded 1.2.x component for ...) + TODO: check +CVE-2018-5989 (SQL Injection exists in the ccNewsletter 2.x component for Joomla! via ...) + TODO: check CVE-2018-5988 (SQL Injection exists in Flexible Poll 1.2 via the id parameter to ...) NOT-FOR-US: Flexible Poll -CVE-2018-5987 - RESERVED +CVE-2018-5987 (SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 ...) + TODO: check CVE-2018-5986 (SQL Injection exists in Easy Car Script 2014 via the s_order or s_row ...) NOT-FOR-US: Easy Car Script CVE-2018-5985 (SQL Injection exists in the LiveCRM SaaS Cloud 1.0 component for ...) NOT-FOR-US: LiveCRM SaaS Cloud CVE-2018-5984 (SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 ...) NOT-FOR-US: Tumder -CVE-2018-5983 - RESERVED -CVE-2018-5982 - RESERVED -CVE-2018-5981 - RESERVED -CVE-2018-5980 - RESERVED +CVE-2018-5983 (SQL Injection exists in the JquickContact 1.3.2.2.1 component for ...) + TODO: check +CVE-2018-5982 (SQL Injection exists in the Advertisement Board 3.1.0 component for ...) + TODO: check +CVE-2018-5981 (SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via ...) + TODO: check +CVE-2018-5980 (SQL Injection exists in the Solidres 2.5.1 component for Joomla! via ...) + TODO: check CVE-2018-5979 (SQL Injection exists in Wchat Fully Responsive PHP AJAX Chat Script 1.5 ...) NOT-FOR-US: Wchat Fully Responsive PHP AJAX Chat Script CVE-2018-5978 (SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via the ...) @@ -3387,18 +3389,18 @@ CVE-2018-5977 (SQL Injection exists in Affiligator Affiliate Webshop Management NOT-FOR-US: Affiligator Affiliate Webshop Management System CVE-2018-5976 (Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 ...) NOT-FOR-US: RSVP Invitation Online -CVE-2018-5975 - RESERVED -CVE-2018-5974 - RESERVED +CVE-2018-5975 (SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! ...) + TODO: check +CVE-2018-5974 (SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! ...) + TODO: check CVE-2018-5973 (SQL Injection exists in Professional Local Directory Script 1.0 via ...) NOT-FOR-US: Professional Local Directory Script CVE-2018-5972 (SQL Injection exists in Classified Ads CMS Quickad 4.0 via the ...) NOT-FOR-US: Classified Ads CMS Quickad -CVE-2018-5971 - RESERVED -CVE-2018-5970 - RESERVED +CVE-2018-5971 (SQL Injection exists in the MediaLibrary Free 4.0.12 component for ...) + TODO: check +CVE-2018-5970 (SQL Injection exists in the JGive 2.0.9 component for Joomla! via the ...) + TODO: check CVE-2018-5969 (Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via ...) NOT-FOR-US: Photography CMS CVE-2018-5968 (FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 ...) @@ -3990,6 +3992,7 @@ CVE-2018-5736 RESERVED CVE-2018-5735 [assertion failure in validator.c:1858] RESERVED + {DLA-1285-1} - bind9 1:9.9.3.dfsg.P2-1 (bug #889285) NOTE: Issue similar/closely related to the CVE-2017-3139 issue in Red Hat. NOTE: Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code was @@ -4790,19 +4793,19 @@ CVE-2018-5382 RESERVED CVE-2018-5381 [fix infinite loop on certain invalid OPEN messages] RESERVED - {DSA-4115-1} + {DSA-4115-1 DLA-1286-1} - quagga <unfixed> (bug #890563) NOTE: https://www.quagga.net/security/Quagga-2018-1975.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=ce07207c50a3d1f05d6dd49b5294282e59749787 CVE-2018-5380 [debug print of received NOTIFY data can over-read msg array] RESERVED - {DSA-4115-1} + {DSA-4115-1 DLA-1286-1} - quagga <unfixed> (bug #890563) NOTE: https://www.quagga.net/security/Quagga-2018-1550.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=9e5251151894aefdf8e9392a2371615222119ad8 CVE-2018-5379 [Fix double free of unknown attribute] RESERVED - {DSA-4115-1} + {DSA-4115-1 DLA-1286-1} - quagga <unfixed> (bug #890563) NOTE: https://www.quagga.net/security/Quagga-2018-1114.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=e69b535f92eafb599329bf725d9b4c6fd5d7fded @@ -9158,8 +9161,8 @@ CVE-2017-17937 (Vanguard Marketplace Digital Products PHP has XSS via the phps_q NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17936 (Vanguard Marketplace Digital Products PHP has CSRF via /search. ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP -CVE-2018-3609 - RESERVED +CVE-2018-3609 (A vulnerability in the Trend Micro InterScan Messaging Security ...) + TODO: check CVE-2018-3608 RESERVED CVE-2018-3607 (XXXTreeNode method SQL injection remote code execution (RCE) ...) @@ -16177,8 +16180,7 @@ CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 an TODO: check CVE-2018-1050 RESERVED -CVE-2018-1049 [automount: access to automounted volumes can lock up] - RESERVED +CVE-2018-1049 (In systemd prior to 234 a race condition exists between .mount and ...) - systemd 234-1 [stretch] - systemd <postponed> (Minor issue, can either be included in future DSA or point release) [jessie] - systemd <postponed> (Minor issue, can either be included in future DSA or point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1f9004048865ee433a1d99ce34f31c8ab1f4595 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1f9004048865ee433a1d99ce34f31c8ab1f4595 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits