Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7867a173 by Salvatore Bonaccorso at 2018-03-10T10:42:30+01:00
Update first entries included in 9.4
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -6622,7 +6622,7 @@ CVE-2018-5749 (install.php in Minecraft Servers List Lite
before commit c1cd164
NOT-FOR-US: Minecraft Servers List Lite
CVE-2018-5748 (qemu/qemu_monitor.c in libvirt allows attackers to cause a
denial of ...)
- libvirt 4.0.0-1 (bug #887700)
- [stretch] - libvirt <no-dsa> (Minor issue)
+ [stretch] - libvirt 3.0.0-4+deb9u2
[jessie] - libvirt <no-dsa> (Minor issue)
[wheezy] - libvirt <postponed> (Can be fixed in a later update)
NOTE:
https://www.redhat.com/archives/libvir-list/2017-December/msg00749.html
@@ -8414,7 +8414,7 @@ CVE-2018-5079 (In K7 AntiVirus 15.1.0306, the driver file
(K7FWHlpr.sys) allows
NOT-FOR-US: K7 AntiVirus
CVE-2017-18021 (It was discovered that QtPass before 1.2.1, when using the
built-in ...)
- qtpass 1.2.1-1
- [stretch] - qtpass <no-dsa> (default setup in Debian is not affected)
+ [stretch] - qtpass 1.1.6-1+deb9u1
NOTE:
https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
NOTE: https://github.com/IJHack/QtPass/issues/338
CVE-2017-18020 (On Samsung mobile devices with L(5.x), M(6.x), and N(7.x)
software and ...)
@@ -11120,7 +11120,7 @@ CVE-2017-1000427 (marked version 0.3.6 and earlier is
vulnerable to an XSS attac
NOTE: nodejs not covered by security support
CVE-2017-1000426 (MapProxy version 1.10.3 and older is vulnerable to a Cross
Site ...)
- mapproxy 1.10.4-1 (low)
- [stretch] - mapproxy <no-dsa> (Minor issue)
+ [stretch] - mapproxy 1.9.0-3+deb9u1
NOTE: https://github.com/mapproxy/mapproxy/issues/322
NOTE:
https://github.com/mapproxy/mapproxy/commit/2e102843203c11b02c002daa08ca59d05d5eff5a
(master)
NOTE:
https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28
(1.10.x)
@@ -17728,6 +17728,7 @@ CVE-2017-17532 (examples/framework/news/news3.py in
Kiwi 1.9.22 does not validat
NOTE: Only in examples code, negligible impact
CVE-2017-17531 (gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before
...)
- global 6.6.1-1 (unimportant; bug #884912)
+ [stretch] - global 6.5.6-2+deb9u1
NOTE:
https://sources.debian.org/src/global/4.8.6-2/gozilla/gozilla.c/#L269
CVE-2017-17530 (common/help.c in Geomview 1.9.5 does not validate strings
before ...)
- geomview <unfixed> (unimportant)
@@ -17826,7 +17827,7 @@ CVE-2017-17512 (sensible-browser in sensible-utils
before 0.0.11 does not valida
CVE-2017-17511 (KildClient 3.1.0 does not validate strings before launching
the program ...)
{DLA-1210-1}
- kildclient 3.2.0-1 (bug #885007)
- [stretch] - kildclient <no-dsa> (Minor issue)
+ [stretch] - kildclient 3.1.0-1+deb9u1
[jessie] - kildclient <no-dsa> (Minor issue)
NOTE:
https://sources.debian.org/src/kildclient/3.1.0-1/src/worldgui.c/?hl=1159#L1159
NOTE:
https://sources.debian.org/src/kildclient/3.1.0-1/src/prefs.c/?hl=324#L324
@@ -22242,7 +22243,7 @@ CVE-2017-1000126 (exiv2 0.26 contains a Stack out of
bounds read in webp parser
NOTE: https://github.com/Exiv2/exiv2/issues/175
CVE-2017-16879 (Stack-based buffer overflow in the _nc_write_entry function in
...)
- ncurses 6.0+20171125-1 (bug #882620)
- [stretch] - ncurses <no-dsa> (Minor issue)
+ [stretch] - ncurses 6.0+20161126-1+deb9u2
[jessie] - ncurses <no-dsa> (Minor issue)
[wheezy] - ncurses <ignored> (Minor issue)
NOTE: PoC
https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz
@@ -29094,13 +29095,13 @@ CVE-2017-14697
RESERVED
CVE-2017-14696 (SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8,
and ...)
- salt 2016.11.8+dfsg1-1 (bug #879090)
- [stretch] - salt <no-dsa> (Minor issue)
+ [stretch] - salt 2016.11.2+ds-1+deb9u1
[jessie] - salt <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/saltstack/salt/commit/5f8b5e1a0f23fe0f2be5b3c3e04199b57a53db5b
NOTE: Fixed by:
https://github.com/saltstack/salt/commit/89e084bda356739de645c15e7d1968afebdcc56e
(2016.11)
CVE-2017-14695 (Directory traversal vulnerability in minion id validation in
SaltStack ...)
- salt 2016.11.8+dfsg1-1 (bug #879089)
- [stretch] - salt <no-dsa> (Minor issue)
+ [stretch] - salt 2016.11.2+ds-1+deb9u1
[jessie] - salt <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d
NOTE: Fixed by:
https://github.com/saltstack/salt/commit/206ae23f15cb7ec95a07dee4cbe9802da84f9c42
(2016.11)
@@ -29339,7 +29340,7 @@ CVE-2017-14624 (ImageMagick 7.0.7-0 Q16 has a NULL
Pointer Dereference vulnerabi
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/9ff805077fd5297dc41dc989f9dba59877e12f97
CVE-2017-14623 (In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an
attacker ...)
- golang-github-go-ldap-ldap 2.5.1-1 (low; bug #876404)
- [stretch] - golang-github-go-ldap-ldap <no-dsa> (Minor issue)
+ [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1
NOTE: https://github.com/go-ldap/ldap/pull/126
NOTE:
https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66
CVE-2017-14622 (Multiple cross-site scripting (XSS) vulnerabilities in the 2kb
Amazon ...)
@@ -34955,7 +34956,7 @@ CVE-2017-12792 (Multiple cross-site request forgery
(CSRF) vulnerabilities in Ne
NOT-FOR-US: NexusPHP
CVE-2017-12791 (Directory traversal vulnerability in minion id validation in
SaltStack ...)
- salt 2016.11.8+dfsg1-1 (bug #872399)
- [stretch] - salt <no-dsa> (Minor issue)
+ [stretch] - salt 2016.11.2+ds-1+deb9u1
[jessie] - salt <no-dsa> (Minor issue)
NOTE: https://github.com/saltstack/salt/pull/42944
NOTE:
https://github.com/saltstack/salt/commit/6366e05d0d70bd709cc4233c3faf32a759d0173a
@@ -36839,7 +36840,7 @@ CVE-2017-12134 (The xen_biovec_phys_mergeable function
in drivers/xen/biomerge.c
NOTE:
https://git.kernel.org/linus/462cdace790ac2ed6aad1b19c9c0af0143b6aab0
(v4.13-rc6)
CVE-2017-12133 (The DNS stub resolver in the GNU C Library (glibc) before
version ...)
- glibc 2.24-15 (bug #870648)
- [stretch] - glibc <no-dsa> (Minor issue)
+ [stretch] - glibc 2.24-11+deb9u2
[jessie] - glibc <no-dsa> (Minor issue)
- eglibc <removed>
[wheezy] - eglibc <no-dsa> (Minor issue)
@@ -41660,7 +41661,7 @@ CVE-2017-9869 (The II_step_one function in layer2.c in
mpglib, as used in ...)
CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence
file) is ...)
{DLA-1146-1}
- mosquitto 1.4.14-1 (bug #865959)
- [stretch] - mosquitto <no-dsa> (Minor issue)
+ [stretch] - mosquitto 1.4.10-3+deb9u1
[jessie] - mosquitto <no-dsa> (Minor issue)
NOTE: https://github.com/eclipse/mosquitto/issues/468
NOTE:
https://github.com/eclipse/mosquitto/commit/09cb1b61c8f48284d9c42bd911faa7525cc689c7
@@ -45349,17 +45350,17 @@ CVE-2017-9261 (In ImageMagick 7.0.5-6 Q16, the
ReadMNGImage function in coders/p
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/01d522e990aa57cbe67d222dd5e8f7196cc6d199
CVE-2017-9260 (The TDStretchSSE::calcCrossCorr function in ...)
- soundtouch 1.9.2-3 (low; bug #870857)
- [stretch] - soundtouch <no-dsa> (Minor issue)
+ [stretch] - soundtouch 1.9.2-2+deb9u1
[jessie] - soundtouch <no-dsa> (Minor issue)
[wheezy] - soundtouch <no-dsa> (Minor issue)
CVE-2017-9259 (The TDStretch::acceptNewOverlapLength function in ...)
- soundtouch 1.9.2-3 (low; bug #870856)
- [stretch] - soundtouch <no-dsa> (Minor issue)
+ [stretch] - soundtouch 1.9.2-2+deb9u1
[jessie] - soundtouch <no-dsa> (Minor issue)
[wheezy] - soundtouch <no-dsa> (Minor issue)
CVE-2017-9258 (The TDStretch::processSamples function in ...)
- soundtouch 1.9.2-3 (low; bug #870854)
- [stretch] - soundtouch <no-dsa> (Minor issue)
+ [stretch] - soundtouch 1.9.2-2+deb9u1
[jessie] - soundtouch <no-dsa> (Minor issue)
[wheezy] - soundtouch <no-dsa> (Minor issue)
CVE-2017-9257 (The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in
Freeware ...)
@@ -50862,7 +50863,7 @@ CVE-2017-7537
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470817
CVE-2017-7536 (In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and
5.4.x, it ...)
- libhibernate-validator-java 4.3.3-4 (bug #885577)
- [stretch] - libhibernate-validator-java <no-dsa> (Minor issue)
+ [stretch] - libhibernate-validator-java 4.3.3-1+deb9u1
[jessie] - libhibernate-validator-java <not-affected> (Vulnerable code
introduced in 4.3)
[wheezy] - libhibernate-validator-java <not-affected> (Vulnerable code
introduced in 4.3)
NOTE:
https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7867a173d0348da7341b40c9459898b9e1ecc6c5
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7867a173d0348da7341b40c9459898b9e1ecc6c5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
